Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TBI87y49f9.exe

Overview

General Information

Sample name:TBI87y49f9.exe
renamed because original name is a hash value
Original sample name:08494e6a1e788ea3259955a4524fdfec.exe
Analysis ID:1589508
MD5:08494e6a1e788ea3259955a4524fdfec
SHA1:2c8fa17d05251b515cc52694335a88c7a609e303
SHA256:9eee9d46e5ea0b25bd904760a998a54550ab3800666d01e27aa8ff52626ece94
Tags:exeLummaStealeruser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TBI87y49f9.exe (PID: 1520 cmdline: "C:\Users\user\Desktop\TBI87y49f9.exe" MD5: 08494E6A1E788EA3259955A4524FDFEC)
    • WerFault.exe (PID: 1560 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1668 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["robinsharez.shop", "femalsabler.shop", "crowdwarek.shop", "apporholis.shop", "soundtappysk.shop", "handscreamny.shop", "skidjazzyric.click", "chipdonkeruz.shop", "versersleep.shop"], "Build id": "4h5VfH--"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2286759984.0000000000793000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0xd98:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-12T17:41:03.163545+010020283713Unknown Traffic192.168.2.549704104.102.49.254443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-12T17:41:02.340299+010020590351Domain Observed Used for C2 Detected192.168.2.5510081.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-12T17:41:02.396471+010020590371Domain Observed Used for C2 Detected192.168.2.5573011.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-12T17:41:02.351535+010020590391Domain Observed Used for C2 Detected192.168.2.5636291.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-12T17:41:02.328758+010020590411Domain Observed Used for C2 Detected192.168.2.5565041.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-12T17:41:02.408856+010020590431Domain Observed Used for C2 Detected192.168.2.5620421.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-12T17:41:02.424055+010020590491Domain Observed Used for C2 Detected192.168.2.5648641.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-12T17:41:02.297847+010020590881Domain Observed Used for C2 Detected192.168.2.5590301.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-12T17:41:02.314679+010020590511Domain Observed Used for C2 Detected192.168.2.5542771.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-12T17:41:02.384654+010020590571Domain Observed Used for C2 Detected192.168.2.5508871.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-12T17:41:03.622577+010028586661Domain Observed Used for C2 Detected192.168.2.549704104.102.49.254443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: https://chipdonkeruz.shop/Avira URL Cloud: Label: malware
    Source: https://versersleep.shop/Avira URL Cloud: Label: malware
    Source: https://versersleep.shop/tAvira URL Cloud: Label: malware
    Source: https://robinsharez.shop/LAvira URL Cloud: Label: malware
    Source: https://robinsharez.shop/Avira URL Cloud: Label: malware
    Source: https://crowdwarek.shop/Avira URL Cloud: Label: malware
    Found malware configuration
    Source: 0.2.TBI87y49f9.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["robinsharez.shop", "femalsabler.shop", "crowdwarek.shop", "apporholis.shop", "soundtappysk.shop", "handscreamny.shop", "skidjazzyric.click", "chipdonkeruz.shop", "versersleep.shop"], "Build id": "4h5VfH--"}
    Multi AV Scanner detection for submitted file
    Source: TBI87y49f9.exeReversingLabs: Detection: 50%
    Source: TBI87y49f9.exeVirustotal: Detection: 38%Perma Link
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: TBI87y49f9.exeJoe Sandbox ML: detected
    Sample uses string decryption to hide its real strings
    Source: 00000000.00000003.2054941285.00000000021B0000.00000004.00001000.00020000.00000000.sdmpString decryptor: robinsharez.shop
    Source: 00000000.00000003.2054941285.00000000021B0000.00000004.00001000.00020000.00000000.sdmpString decryptor: handscreamny.shop
    Source: 00000000.00000003.2054941285.00000000021B0000.00000004.00001000.00020000.00000000.sdmpString decryptor: chipdonkeruz.shop
    Source: 00000000.00000003.2054941285.00000000021B0000.00000004.00001000.00020000.00000000.sdmpString decryptor: versersleep.shop
    Source: 00000000.00000003.2054941285.00000000021B0000.00000004.00001000.00020000.00000000.sdmpString decryptor: crowdwarek.shop
    Source: 00000000.00000003.2054941285.00000000021B0000.00000004.00001000.00020000.00000000.sdmpString decryptor: apporholis.shop
    Source: 00000000.00000003.2054941285.00000000021B0000.00000004.00001000.00020000.00000000.sdmpString decryptor: femalsabler.shop
    Source: 00000000.00000003.2054941285.00000000021B0000.00000004.00001000.00020000.00000000.sdmpString decryptor: soundtappysk.shop
    Source: 00000000.00000003.2054941285.00000000021B0000.00000004.00001000.00020000.00000000.sdmpString decryptor: skidjazzyric.click
    Source: 00000000.00000003.2054941285.00000000021B0000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 00000000.00000003.2054941285.00000000021B0000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
    Source: 00000000.00000003.2054941285.00000000021B0000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
    Source: 00000000.00000003.2054941285.00000000021B0000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
    Source: 00000000.00000003.2054941285.00000000021B0000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
    Source: 00000000.00000003.2054941285.00000000021B0000.00000004.00001000.00020000.00000000.sdmpString decryptor: 4h5VfH--

    Compliance

    barindex
    Detected unpacking (overwrites its own PE header)
    Source: C:\Users\user\Desktop\TBI87y49f9.exeUnpacked PE file: 0.2.TBI87y49f9.exe.400000.0.unpack
    Source: TBI87y49f9.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\TBI87y49f9.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ecx, edx0_2_0040B2B0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h0_2_00419840
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx edx, byte ptr [edi+eax]0_2_0040A05C
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h0_2_00427070
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov dword ptr [esp+3Ch], edx0_2_0043B870
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov edx, ecx0_2_0043B870
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]0_2_0042D830
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h0_2_0043F0E0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [edi], al0_2_0041B882
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then jmp eax0_2_004418A0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [edi], al0_2_0041B173
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_0042B170
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov word ptr [eax], cx0_2_0041A900
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [edi], al0_2_0041B184
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then test esi, esi0_2_0043C9A0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_0041B243
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_0042EA62
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov eax, dword ptr [edi+0Ch]0_2_00402210
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ecx, eax0_2_0040AA32
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]0_2_00425AF0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ecx, eax0_2_00428280
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]0_2_0041F2A0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ebx, eax0_2_00405AB0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ebp, eax0_2_00405AB0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_0042EB5F
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_0042BB00
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [edi], al0_2_0041BB21
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov dword ptr [esp+14h], 00000000h0_2_00441B20
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0041AB2A
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]0_2_0040C334
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+72B923DBh]0_2_0040C3EC
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ebx, edx0_2_0042DBF0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then jmp ecx0_2_0040D334
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_00422380
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]0_2_0041BBA0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov dword ptr [ebx], 00000022h0_2_0042BBA0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_0042EBA1
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ecx, eax0_2_00440BAB
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_0042EBB3
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov dword ptr [esp+14h], 00000000h0_2_00441BB0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov dword ptr [esp+14h], 00000000h0_2_00441C40
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ecx, eax0_2_00442470
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h0_2_00426C76
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov eax, edi0_2_0041C400
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [esi], al0_2_00417405
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]0_2_00417405
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov edx, ecx0_2_00417405
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_00414C20
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h0_2_0044042D
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ecx, eax0_2_0044042D
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0041B484
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov word ptr [esi], cx0_2_00427490
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h0_2_00425D6A
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_00438520
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh0_2_00442D20
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then push edi0_2_0043C5A0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]0_2_0043C5A0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_0042B652
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0041B667
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ecx, dword ptr [0044C548h]0_2_00418672
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00409E09
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]0_2_00407620
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_00407620
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then jmp ecx0_2_0040CEC7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]0_2_00416ED0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]0_2_0041BEE1
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [edi], al0_2_0041AEFF
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov esi, ecx0_2_00415720
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ecx, eax0_2_00415720
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]0_2_0040DFE2
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [eax], cl0_2_0040DFE2
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]0_2_00408F90
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh0_2_004427B0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov esi, ecx0_2_009960EF
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov word ptr [eax], cx0_2_0098A070
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]0_2_009891F7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov dword ptr [esp+14h], 00000000h0_2_009C21EA
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]0_2_00997137
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then jmp ecx0_2_0098D12E
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]0_2_0099C148
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [edi], al0_2_0099B166
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx edx, byte ptr [edi+eax]0_2_0098A2C3
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]0_2_0098E249
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [eax], cl0_2_0098E249
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [edi], al0_2_0099B3DA
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [edi], al0_2_0099B3EB
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h0_2_009BF347
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_0099B4AA
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ecx, eax0_2_009A84E7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov eax, dword ptr [edi+0Ch]0_2_00982477
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]0_2_0098C59B
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_009A25E7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]0_2_0099F507
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h0_2_009C0694
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ecx, eax0_2_009C0694
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ecx, eax0_2_009C26D7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov word ptr [esi], cx0_2_009A76F7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0099B6EB
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then jmp ecx0_2_0098D59B
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov eax, edi0_2_0099C667
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_009B8787
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [esi], al0_2_0099773F
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]0_2_00987887
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_00987887
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_009AB8B5
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_009958FA
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ecx, dword ptr [0044C548h]0_2_00998809
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then push edi0_2_009BC807
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]0_2_009BC807
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]0_2_009ADA97
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h0_2_00999AA7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov dword ptr [esp+3Ch], edx0_2_009BBAD7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov edx, ecx0_2_009BBAD7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [edi], al0_2_0099BAE9
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]0_2_00997AE4
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov edx, ecx0_2_00997AE4
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh0_2_009C2A17
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ecx, edx0_2_0098BA6C
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h0_2_009A6BA7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov word ptr [eax], cx0_2_0099AB67
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ecx, eax0_2_0098AC99
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_009AECC9
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then test esi, esi0_2_009BCC07
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then jmp eax0_2_009C1C3E
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0099AD91
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [edi], al0_2_0099BD88
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_009AEDC6
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ecx, eax0_2_00996D15
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ebx, eax0_2_00985D17
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ebp, eax0_2_00985D17
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]0_2_009A5D57
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_009ABD67
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_009AEE1A
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ecx, eax0_2_009C0E12
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_009AEE08
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov dword ptr [ebx], 00000022h0_2_009ABE07
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]0_2_0099BE2C
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then mov ebx, edx0_2_009ADE57
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh0_2_009C2F87

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2059049 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop) : 192.168.2.5:64864 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2059043 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop) : 192.168.2.5:62042 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2059051 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop) : 192.168.2.5:54277 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2059035 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop) : 192.168.2.5:51008 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2059057 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop) : 192.168.2.5:50887 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2059088 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click) : 192.168.2.5:59030 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2059039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop) : 192.168.2.5:63629 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2059041 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop) : 192.168.2.5:56504 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2059037 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop) : 192.168.2.5:57301 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49704 -> 104.102.49.254:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: robinsharez.shop
    Source: Malware configuration extractorURLs: femalsabler.shop
    Source: Malware configuration extractorURLs: crowdwarek.shop
    Source: Malware configuration extractorURLs: apporholis.shop
    Source: Malware configuration extractorURLs: soundtappysk.shop
    Source: Malware configuration extractorURLs: handscreamny.shop
    Source: Malware configuration extractorURLs: skidjazzyric.click
    Source: Malware configuration extractorURLs: chipdonkeruz.shop
    Source: Malware configuration extractorURLs: versersleep.shop
    Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 104.102.49.254:443
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: TBI87y49f9.exe, 00000000.00000002.2286993920.0000000000831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: TBI87y49f9.exe, 00000000.00000002.2286839943.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.ste equals www.youtube.com (Youtube)
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=50416a7e87dd6a708f4e611b; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 12 Jan 2025 16:41:03 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control6 equals www.youtube.com (Youtube)
    Source: TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=50416a7e87dd6a708f4e611b; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 12 Jan 2025 16:41:03 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control6 equals www.youtube.com (Youtube)
    Source: TBI87y49f9.exe, 00000000.00000002.2286839943.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.ste equals www.youtube.com (Youtube)
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: global trafficDNS traffic detected: DNS query: skidjazzyric.click
    Source: global trafficDNS traffic detected: DNS query: soundtappysk.shop
    Source: global trafficDNS traffic detected: DNS query: femalsabler.shop
    Source: global trafficDNS traffic detected: DNS query: apporholis.shop
    Source: global trafficDNS traffic detected: DNS query: crowdwarek.shop
    Source: global trafficDNS traffic detected: DNS query: versersleep.shop
    Source: global trafficDNS traffic detected: DNS query: chipdonkeruz.shop
    Source: global trafficDNS traffic detected: DNS query: handscreamny.shop
    Source: global trafficDNS traffic detected: DNS query: robinsharez.shop
    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
    Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
    Source: TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
    Source: TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chipdonkeruz.shop/
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lviE
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
    Source: TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crowdwarek.shop/
    Source: TBI87y49f9.exe, 00000000.00000002.2286839943.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.ste
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
    Source: TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
    Source: TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
    Source: TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
    Source: TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
    Source: TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://robinsharez.shop/
    Source: TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://robinsharez.shop/L
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
    Source: TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com
    Source: TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
    Source: TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/4
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/S
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
    Source: TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
    Source: TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
    Source: TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/765611997243319003
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000831000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286993920.0000000000831000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
    Source: TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
    Source: TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://versersleep.shop/
    Source: TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://versersleep.shop/t
    Source: TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
    Source: TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
    Source: TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
    Source: TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004367F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,0_2_004367F0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004367F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,0_2_004367F0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00436980 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,StretchBlt,ReleaseDC,DeleteObject,DeleteObject,0_2_00436980

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 00000000.00000002.2286759984.0000000000793000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004088800_2_00408880
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0040B2B00_2_0040B2B0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004198400_2_00419840
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004068500_2_00406850
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004278600_2_00427860
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004270700_2_00427070
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0043B8700_2_0043B870
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004060000_2_00406000
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0043080E0_2_0043080E
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0043F8200_2_0043F820
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0041D0C00_2_0041D0C0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004418A00_2_004418A0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0041194F0_2_0041194F
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0043F1500_2_0043F150
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0042B1700_2_0042B170
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004039000_2_00403900
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004251000_2_00425100
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004399230_2_00439923
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004271330_2_00427133
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004339300_2_00433930
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004121DB0_2_004121DB
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0042A9F70_2_0042A9F7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0040E9B00_2_0040E9B0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0041825B0_2_0041825B
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0042EA620_2_0042EA62
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0040CA620_2_0040CA62
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00442A600_2_00442A60
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0041DAD00_2_0041DAD0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00429ADE0_2_00429ADE
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00425AF00_2_00425AF0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004092A00_2_004092A0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00405AB00_2_00405AB0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004042B00_2_004042B0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0043CB400_2_0043CB40
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0042EB5F0_2_0042EB5F
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004083600_2_00408360
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00428B670_2_00428B67
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00437B690_2_00437B69
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00402B200_2_00402B20
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00441B200_2_00441B20
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00432B240_2_00432B24
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004063C00_2_004063C0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0042DBF00_2_0042DBF0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004223800_2_00422380
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0041BBA00_2_0041BBA0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0042BBA00_2_0042BBA0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0042EBA10_2_0042EBA1
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0042EBB30_2_0042EBB3
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00441BB00_2_00441BB0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00441C400_2_00441C40
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004424700_2_00442470
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00426C760_2_00426C76
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0041D4000_2_0041D400
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0041C4000_2_0041C400
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004174050_2_00417405
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00414C200_2_00414C20
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004324260_2_00432426
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004284370_2_00428437
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0043443D0_2_0043443D
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004354C40_2_004354C4
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00434CEF0_2_00434CEF
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0043A4EF0_2_0043A4EF
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004374AB0_2_004374AB
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0041DCB00_2_0041DCB0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0043ACB00_2_0043ACB0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0042FCBC0_2_0042FCBC
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0040D5450_2_0040D545
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00425D6A0_2_00425D6A
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00435D130_2_00435D13
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00442D200_2_00442D20
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0043CD270_2_0043CD27
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00420D900_2_00420D90
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0043C5A00_2_0043C5A0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00421E700_2_00421E70
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004366100_2_00436610
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004076200_2_00407620
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0040AE300_2_0040AE30
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0041F6D00_2_0041F6D0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00416ED00_2_00416ED0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0041BEE10_2_0041BEE1
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00402EF00_2_00402EF0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004186FC0_2_004186FC
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00423EFF0_2_00423EFF
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00431E8E0_2_00431E8E
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0041A6900_2_0041A690
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004157200_2_00415720
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0041AF240_2_0041AF24
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00427F300_2_00427F30
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0040DFE20_2_0040DFE2
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004257E00_2_004257E0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00429FE40_2_00429FE4
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0040CFEC0_2_0040CFEC
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004097900_2_00409790
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004427B00_2_004427B0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00441FB00_2_00441FB0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0098B0970_2_0098B097
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009A60B70_2_009A60B7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009A20D70_2_009A20D7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009B20F50_2_009B20F5
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009C20170_2_009C2017
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009A81970_2_009A8197
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0099B18B0_2_0099B18B
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009831570_2_00983157
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0099C1480_2_0099C148
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009A41660_2_009A4166
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0098D2530_2_0098D253
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0098E2490_2_0098E249
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009862670_2_00986267
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009A73B20_2_009A73B2
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009BF3B70_2_009BF3B7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009AA3050_2_009AA305
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0099D3270_2_0099D327
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009984C20_2_009984C2
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009924420_2_00992442
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009885C70_2_009885C7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009A25E70_2_009A25E7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009845170_2_00984517
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009895070_2_00989507
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009B268D0_2_009B268D
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009B46A40_2_009B46A4
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009C26D70_2_009C26D7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009866270_2_00986627
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0099D6670_2_0099D667
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0099C6670_2_0099C667
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0098D7AC0_2_0098D7AC
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009B77120_2_009B7712
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009B572B0_2_009B572B
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009BA7560_2_009BA756
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009878870_2_00987887
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0099A8F70_2_0099A8F7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009BC8070_2_009BC807
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009B68770_2_009B6877
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009899F70_2_009899F7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0099F9370_2_0099F937
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009BFA870_2_009BFA87
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00986AB70_2_00986AB7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00999AA70_2_00999AA7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009BBAD70_2_009BBAD7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00997AE40_2_00997AE4
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00988AE70_2_00988AE7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009C2A170_2_009C2A17
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009B0A750_2_009B0A75
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009B3B970_2_009B3B97
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009B9B8A0_2_009B9B8A
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00991BB60_2_00991BB6
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00983B670_2_00983B67
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0098CCC90_2_0098CCC9
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009AECC90_2_009AECC9
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009C2CC70_2_009C2CC7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0098EC170_2_0098EC17
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009B2D8B0_2_009B2D8B
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00982D870_2_00982D87
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009BCDA70_2_009BCDA7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009B7DD00_2_009B7DD0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009AEDC60_2_009AEDC6
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00985D170_2_00985D17
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0099DD370_2_0099DD37
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00994E870_2_00994E87
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009AEE1A0_2_009AEE1A
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009AEE080_2_009AEE08
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009ABE070_2_009ABE07
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009ADE570_2_009ADE57
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009C2F870_2_009C2F87
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00997FFA0_2_00997FFA
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009A0FF70_2_009A0FF7
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009BAF170_2_009BAF17
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0099DF170_2_0099DF17
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009AFF230_2_009AFF23
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009B4F560_2_009B4F56
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009B5F7A0_2_009B5F7A
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: String function: 00414C10 appears 116 times
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: String function: 009883D7 appears 77 times
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: String function: 00994E77 appears 116 times
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: String function: 00408170 appears 45 times
    Source: C:\Users\user\Desktop\TBI87y49f9.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1668
    Source: TBI87y49f9.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 00000000.00000002.2286759984.0000000000793000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: TBI87y49f9.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: classification engineClassification label: mal100.troj.evad.winEXE@2/5@10/1
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00793DC6 CreateToolhelp32Snapshot,Module32First,0_2_00793DC6
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0043B870 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,0_2_0043B870
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1520
    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\076dc566-dbf2-4c3c-add2-a2bc49f81b35Jump to behavior
    Source: TBI87y49f9.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\TBI87y49f9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: TBI87y49f9.exeReversingLabs: Detection: 50%
    Source: TBI87y49f9.exeVirustotal: Detection: 38%
    Source: C:\Users\user\Desktop\TBI87y49f9.exeFile read: C:\Users\user\Desktop\TBI87y49f9.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\TBI87y49f9.exe "C:\Users\user\Desktop\TBI87y49f9.exe"
    Source: C:\Users\user\Desktop\TBI87y49f9.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1668
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: msvcr100.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

    Data Obfuscation

    barindex
    Detected unpacking (changes PE section rights)
    Source: C:\Users\user\Desktop\TBI87y49f9.exeUnpacked PE file: 0.2.TBI87y49f9.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.nosu:W;.muwav:W;.roxah:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
    Detected unpacking (overwrites its own PE header)
    Source: C:\Users\user\Desktop\TBI87y49f9.exeUnpacked PE file: 0.2.TBI87y49f9.exe.400000.0.unpack
    Source: TBI87y49f9.exeStatic PE information: section name: .nosu
    Source: TBI87y49f9.exeStatic PE information: section name: .muwav
    Source: TBI87y49f9.exeStatic PE information: section name: .roxah
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00441850 push eax; mov dword ptr [esp], 0E0908DBh0_2_00441853
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0079731E push esi; retn 001Ch0_2_00797322
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00796776 push ebx; ret 0_2_00796777
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0079874A pushad ; ret 0_2_0079874B
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_007987B5 pushfd ; ret 0_2_007987B6
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009AB05A push ebp; iretd 0_2_009AB05D
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_009C1AB7 push eax; mov dword ptr [esp], 0E0908DBh0_2_009C1ABA
    Source: TBI87y49f9.exeStatic PE information: section name: .text entropy: 7.417548317236182
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exeAPI coverage: 10.0 %
    Source: C:\Users\user\Desktop\TBI87y49f9.exe TID: 768Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\TBI87y49f9.exe TID: 5548Thread sleep time: -30000s >= -30000sJump to behavior
    Source: Amcache.hve.4.drBinary or memory string: VMware
    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
    Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
    Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
    Source: TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(`
    Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
    Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
    Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
    Source: TBI87y49f9.exe, 00000000.00000002.2286839943.0000000000820000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
    Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.4.drBinary or memory string: vmci.sys
    Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
    Source: TBI87y49f9.exe, 00000000.00000002.2286839943.0000000000820000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWi%
    Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
    Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
    Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.4.drBinary or memory string: VMware20,1
    Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
    Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
    Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
    Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
    Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
    Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
    Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
    Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
    Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_004402C0 LdrInitializeThunk,0_2_004402C0
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_007936A3 push dword ptr fs:[00000030h]0_2_007936A3
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_0098092B mov eax, dword ptr fs:[00000030h]0_2_0098092B
    Source: C:\Users\user\Desktop\TBI87y49f9.exeCode function: 0_2_00980D90 mov eax, dword ptr fs:[00000030h]0_2_00980D90

    HIPS / PFW / Operating System Protection Evasion

    barindex
    LummaC encrypted strings found
    Source: TBI87y49f9.exeString found in binary or memory: robinsharez.shop
    Source: TBI87y49f9.exeString found in binary or memory: handscreamny.shop
    Source: TBI87y49f9.exeString found in binary or memory: chipdonkeruz.shop
    Source: TBI87y49f9.exeString found in binary or memory: versersleep.shop
    Source: TBI87y49f9.exeString found in binary or memory: crowdwarek.shop
    Source: TBI87y49f9.exeString found in binary or memory: apporholis.shop
    Source: TBI87y49f9.exeString found in binary or memory: femalsabler.shop
    Source: TBI87y49f9.exeString found in binary or memory: soundtappysk.shop
    Source: TBI87y49f9.exeString found in binary or memory: skidjazzyric.click
    Source: C:\Users\user\Desktop\TBI87y49f9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
    Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
    Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
    Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    PowerShell    		1
    DLL Side-Loading    		1
    Process Injection    		1
    Virtualization/Sandbox Evasion    		OS Credential Dumping11
    Security Software Discovery    		Remote Services1
    Screen Capture    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Process Injection    		LSASS Memory1
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol1
    Archive Collected Data    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
    Deobfuscate/Decode Files or Information    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin Shares2
    Clipboard Data    		2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
    Obfuscated Files or Information    		NTDS2
    System Information Discovery    		Distributed Component Object ModelInput Capture113
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script22
    Software Packing    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    TBI87y49f9.exe50%ReversingLabsWin32.Trojan.CrypterX
    TBI87y49f9.exe39%VirustotalBrowse
    TBI87y49f9.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://chipdonkeruz.shop/100%Avira URL Cloudmalware
    https://versersleep.shop/100%Avira URL Cloudmalware
    https://versersleep.shop/t100%Avira URL Cloudmalware
    https://robinsharez.shop/L100%Avira URL Cloudmalware
    https://robinsharez.shop/100%Avira URL Cloudmalware
    https://crowdwarek.shop/100%Avira URL Cloudmalware
    https://help.ste0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    steamcommunity.com
    		104.102.49.254
    		truefalse
      		high
      femalsabler.shop
      		unknown
      		unknownfalse
        		high
        robinsharez.shop
        		unknown
        		unknownfalse
          		high
          soundtappysk.shop
          		unknown
          		unknownfalse
            		high
            crowdwarek.shop
            		unknown
            		unknownfalse
              		high
              versersleep.shop
              		unknown
              		unknownfalse
                		high
                skidjazzyric.click
                		unknown
                		unknownfalse
                  		high
                  chipdonkeruz.shop
                  		unknown
                  		unknownfalse
                    		high
                    apporholis.shop
                    		unknown
                    		unknownfalse
                      		high
                      handscreamny.shop
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        robinsharez.shopfalse
                          		high
                          versersleep.shopfalse
                            		high
                            crowdwarek.shopfalse
                              		high
                              skidjazzyric.clickfalse
                                		high
                                femalsabler.shopfalse
                                  		high
                                  https://steamcommunity.com/profiles/76561199724331900false
                                    		high
                                    soundtappysk.shopfalse
                                      		high
                                      apporholis.shopfalse
                                        		high
                                        handscreamny.shopfalse
                                          		high
                                          chipdonkeruz.shopfalse
                                            		high

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            https://steamcommunity.com/my/wishlist/TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://player.vimeo.comTBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://chipdonkeruz.shop/TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://steamcommunity.com/?subsection=broadcastsTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://help.steampowered.com/en/TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://steamcommunity.com/market/TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://store.steampowered.com/news/TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://store.steampowered.com/subscriber_agreement/TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.gstatic.cn/recaptcha/TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://store.steampowered.com/subscriber_agreement/TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://recaptcha.net/recaptcha/;TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=enTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.valvesoftware.com/legal.htmTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://steamcommunity.com/discussions/TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.youtube.comTBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.google.comTBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://robinsharez.shop/LTBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                https://store.steampowered.com/stats/TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://medal.tvTBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://steamcommunity.com/STBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://broadcast.st.dl.eccdnx.comTBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&aTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://store.steampowered.com/steam_refunds/TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=englTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://s.ytimg.com;TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://crowdwarek.shop/TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: malware
                                                                                                                		unknown
                                                                                                                https://steamcommunity.com/workshop/TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://login.steampowered.com/TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbbTBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_cTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://store.steampowered.com/legal/TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lviETBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://steamcommunity.com/4TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://community.fastly.steamstatic.com/TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engliTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://steam.tv/TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://versersleep.shop/TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: malware
                                                                                                                                        		unknown
                                                                                                                                        https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=enTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=engTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://help.steTBI87y49f9.exe, 00000000.00000002.2286839943.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            https://versersleep.shop/tTBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: malware
                                                                                                                                            		unknown
                                                                                                                                            http://store.steampowered.com/privacy_agreement/TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://store.steampowered.com/points/shop/TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://recaptcha.netTBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://upx.sf.netAmcache.hve.4.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://store.steampowered.com/TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://steamcommunity.comTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://sketchfab.comTBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://lv.queniujq.cnTBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.pngTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://www.youtube.com/TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://127.0.0.1:27060TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://store.steampowered.com/privacy_agreement/TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_ATBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&amTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://www.google.com/recaptcha/TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://checkout.steampowered.com/TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&ampTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://help.steampowered.com/TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://api.steampowered.com/TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://store.steampowered.com/points/shopTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://store.steampowered.com/account/cookiepreferences/TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075292760.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://store.steampowered.com/mobileTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://steamcommunity.com/TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://steamcommunity.com/profiles/765611997243319003TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://store.steampowered.com/;TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000831000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286993920.0000000000831000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075410847.0000000000820000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075506850.000000000082A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://store.steampowered.com/about/TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&lTBI87y49f9.exe, 00000000.00000003.2075223656.0000000000869000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075223656.0000000000863000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075520311.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://robinsharez.shop/TBI87y49f9.exe, 00000000.00000003.2075678748.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000003.2075534178.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, TBI87y49f9.exe, 00000000.00000002.2286839943.00000000007E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                                                                                    		unknown

                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                                    Public IPs

                                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                    104.102.49.254
                                                                                                                                                                                                    		steamcommunity.comUnited States
                                                                                                                                                                                                    		16625AKAMAI-ASUSfalse

                                                                                                                                                                                                    General Information

                                                                                                                                                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                                    Analysis ID:1589508
                                                                                                                                                                                                    Start date and time:2025-01-12 17:40:09 +01:00
                                                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                                                    Overall analysis duration:0h 5m 17s
                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                    Report type:full
                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                    Number of analysed new started processes analysed:8
                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                                    Sample name:TBI87y49f9.exe
                                                                                                                                                                                                    renamed because original name is a hash value
                                                                                                                                                                                                    Original Sample Name:08494e6a1e788ea3259955a4524fdfec.exe
                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                    Classification:mal100.troj.evad.winEXE@2/5@10/1
                                                                                                                                                                                                    EGA Information:
                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                    HCA Information:
                                                                                                                                                                                                    • Successful, ratio: 95%
                                                                                                                                                                                                    • Number of executed functions: 13
                                                                                                                                                                                                    • Number of non-executed functions: 238
                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 20.189.173.20, 40.126.32.133, 172.202.163.200, 13.107.246.45
                                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                    11:41:01API Interceptor3x Sleep call for process: TBI87y49f9.exe modified
                                                                                                                                                                                                    11:41:23API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                    IPs

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                    104.102.49.254r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                                    • /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
                                                                                                                                                                                                    http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • www.valvesoftware.com/legal.htm

                                                                                                                                                                                                    Domains

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                    steamcommunity.comH5JVfa61AV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    2EG0jAmtY6.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    rii2.mp3.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    176.113.115.170.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    x.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    SDIO_R773.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    176.113.115.170_3.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    4kN17cL4Tn.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    5tmmrpv3dn.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    b0cQukXPAl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254

                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                    AKAMAI-ASUSH5JVfa61AV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    2EG0jAmtY6.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    rii2.mp3.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    mNPTwHOuvT.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                    • 23.49.251.20
                                                                                                                                                                                                    res.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 184.85.6.161
                                                                                                                                                                                                    176.113.115.170.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 104.102.22.125
                                                                                                                                                                                                    https://terrific-metal-countess.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                    • 23.212.88.20
                                                                                                                                                                                                    x.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    SDIO_R773.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254

                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                    a0e9f5d64349fb13191bc781f81f42e1H5JVfa61AV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    2EG0jAmtY6.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    5vrRrFN56j.exeGet hashmaliciousBdaejecBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    rii2.mp3.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    installer_1.05_37.4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    176.113.115.170.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    Bootstrapper.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    x.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    SDIO_R773.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254

                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TBI87y49f9.exe_8075508ea7efd9ba4af44b51235dd52cb829ffb5_8b27494b_2a3630a1-7d06-4d1e-a176-072b65e6f493\Report.wer

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):65536
                                                                                                                                                                                                    Entropy (8bit):0.965493252999524
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:96:BdeEyZ047tsehBVod7Rr6tQXIDcQqc6mcEKcw34es+HbHg/wWGTf3hOyc45WAU6V:bzo047tl00kigMajsFRzuiFKZ24IO8O
                                                                                                                                                                                                    MD5:C4792BB96D74F953ECEAFB433D6BB52E
                                                                                                                                                                                                    SHA1:F8AEABF7ED5DD8F4A78F89AAFD06BD44369465B7
                                                                                                                                                                                                    SHA-256:6835EE97261ABC0045D4F0D19C4A55AB4BC0E2D0A63A3122C33481C1F498A0C0
                                                                                                                                                                                                    SHA-512:37DE700FCF835BF2E021387DD7A52AE1D562CBED0020AE17295ED6EE46099FFC179AA1F73978DCCD68F4BFDB79B14E1D82ACB85F93406184CB60A37D2DE472FF
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.1.7.3.6.6.3.1.4.1.8.8.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.1.7.3.6.6.3.5.0.1.2.6.9.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.3.6.3.0.a.1.-.7.d.0.6.-.4.d.1.e.-.a.1.7.6.-.0.7.2.b.6.5.e.6.f.4.9.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.9.3.f.d.c.0.-.2.b.9.3.-.4.4.2.a.-.8.9.5.5.-.7.3.a.7.9.9.2.d.c.4.b.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.T.B.I.8.7.y.4.9.f.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.f.0.-.0.0.0.1.-.0.0.1.4.-.6.6.1.3.-.0.e.c.2.1.0.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.a.3.0.0.c.8.a.7.0.9.8.9.c.e.e.8.9.e.3.c.8.6.6.c.c.5.6.0.0.f.b.0.0.0.0.f.f.f.f.!.0.0.0.0.2.c.8.f.a.1.7.d.0.5.2.5.1.b.5.1.5.c.c.5.2.6.9.4.3.3.5.a.8.8.c.7.a.6.0.9.e.3.0.3.!.T.B.I.8.7.y.4.9.f.9...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

                                                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FB.tmp.dmp

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Jan 12 16:41:03 2025, 0x1205a4 type
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):44848
                                                                                                                                                                                                    Entropy (8bit):2.4967331806546738
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:+EXXUeXHOp1BRKEqeUlDOiuUtxTiiK3u4cI4IPA9ZZ+:BXu7BRKEq3JeXSIATZ+
                                                                                                                                                                                                    MD5:263C61B888C9F42BBE5B27FB4898EEEC
                                                                                                                                                                                                    SHA1:8B20C298C1FFE354B3669BE24AA308D1B84DEE8E
                                                                                                                                                                                                    SHA-256:30637086B46F534F16B9A90C15D06139FF45974EFC6B28E9CAB8502B342C1A82
                                                                                                                                                                                                    SHA-512:A406C7233C001380DA8AC6945A82FE1C2EA9C07681AF336266290EDB2B61667B1B09F6A9DB33C7D8C5C25AE5E07AF6C08EDCA9F32DBA2FA8AB6B26166C43A966
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    Preview:MDMP..a..... ..........g............4...............H.......T...<.......d...0,..........`.......8...........T............?...o......................|...............................................................................eJ....... ......GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B7.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):8418
                                                                                                                                                                                                    Entropy (8bit):3.6935371082253687
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:R6l7wVeJcc6NI6YEIESUOugmf494bLpDM89bcAsfJUm:R6lXJ36NI6YErSUOugmf49EcTff
                                                                                                                                                                                                    MD5:29DD82002FC1B55ACE146AD09115FB0D
                                                                                                                                                                                                    SHA1:84149D52F33D2CE9CBC6EAAD2539B3F43292BBFD
                                                                                                                                                                                                    SHA-256:C52B5E2848A07525F933CE5BCCB08E16A8D7D7DC4685E543CA18BA0266CE2614
                                                                                                                                                                                                    SHA-512:F5FFE2E18E0F765B8172B1DD7C0CC51BC21E23C4D4013D8CC6097ECD720D2D4AF88066CB83DB0B7DF3F6E1C1B3B21F2157F953A012C0DB72CA2747989F3BEE12
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.2.0.<./.P.i.

                                                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E7.tmp.xml

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):4724
                                                                                                                                                                                                    Entropy (8bit):4.4840135136656105
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:48:cvIwWl8zspJg77aI93UWpW8VYRYm8M4J2FO3FUP+q8vcFOCJ0C9A4d:uIjf7I7VN7VZJ2TKID08A4d
                                                                                                                                                                                                    MD5:67284D38FF39ED5DC804A1F1923A7214
                                                                                                                                                                                                    SHA1:BA92AAAF4B21D39A328E50CE48B3AC64628F3E3C
                                                                                                                                                                                                    SHA-256:0A294729FD64C890C114F15E337EF6E8EB69CB728D91263F8C77694EAAB37213
                                                                                                                                                                                                    SHA-512:4FE5121B73313B7FE6E62D749E3A76A5EA9FD1B8A06A2FCE835DCE94D1961B6A33CBA0B8B58742EADA14548C8FFB3566E6D7F50685F41DD6BB73409EF5E32F59
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="672943" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1835008
                                                                                                                                                                                                    Entropy (8bit):4.421551519585508
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6144:CSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN+0uhiTw:RvloTMW+EZMM6DFyk03w
                                                                                                                                                                                                    MD5:721599D72094B6D27B81D56F7873369A
                                                                                                                                                                                                    SHA1:D71D4BC58EA8F3D0811D05894D3C2F4661669154
                                                                                                                                                                                                    SHA-256:EC02E50990572A03A170DE881C9853397A6B6B15E2DF09A5967051853D943A44
                                                                                                                                                                                                    SHA-512:6E7D3BEC3D8DA9C59020E4E9864FBB5955A005DFCE5E74BED31CE058C4A72BE6654A7E37458CBA3A13F69CAC048AE5DC8357815E7AA2BD1349CDB12D8ABCA6EA
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.i...e.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                    Entropy (8bit):6.686761413395804
                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                    File name:TBI87y49f9.exe
                                                                                                                                                                                                    File size:403'968 bytes
                                                                                                                                                                                                    MD5:08494e6a1e788ea3259955a4524fdfec
                                                                                                                                                                                                    SHA1:2c8fa17d05251b515cc52694335a88c7a609e303
                                                                                                                                                                                                    SHA256:9eee9d46e5ea0b25bd904760a998a54550ab3800666d01e27aa8ff52626ece94
                                                                                                                                                                                                    SHA512:a0eae14b5aa2800f2d4e92e6735a9b3acf6256c9dfd811dd5e9e16df20b7dcb7911fa112ae0344a3d3ddf95a4610fbcdc729cd0f9746ed006e277d4e103482ff
                                                                                                                                                                                                    SSDEEP:3072:Ro2KKJ9Uzzp69NgvCbewaeDZwq0K4gowWix4WlhBTSPY89CA2dPtcDB66Ngv73mt:VJQ6rEGEPipJSPincDcMm28I
                                                                                                                                                                                                    TLSH:FB84AE8252F0F85DF6B74A335E3E86E4E6EFF462FD68629A71141A0F08731B1C526712
                                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................Rich............PE..L......f.................6.

                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                    Icon Hash:738733b18b8b9bec

                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Entrypoint:0x4014b7
                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                    DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                    Time Stamp:0x6695FDF9 [Tue Jul 16 04:58:33 2024 UTC]
                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                    OS Version Major:5
                                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                                    File Version Major:5
                                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                                    Subsystem Version Major:5
                                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                                    Import Hash:ed8c9aab5b430953fb9c6d93394d74ac

                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                    call 00007FED45005E34h
                                                                                                                                                                                                    jmp 00007FED4500262Dh
                                                                                                                                                                                                    mov edi, edi
                                                                                                                                                                                                    push ebp
                                                                                                                                                                                                    mov ebp, esp
                                                                                                                                                                                                    sub esp, 00000328h
                                                                                                                                                                                                    mov dword ptr [00449598h], eax
                                                                                                                                                                                                    mov dword ptr [00449594h], ecx
                                                                                                                                                                                                    mov dword ptr [00449590h], edx
                                                                                                                                                                                                    mov dword ptr [0044958Ch], ebx
                                                                                                                                                                                                    mov dword ptr [00449588h], esi
                                                                                                                                                                                                    mov dword ptr [00449584h], edi
                                                                                                                                                                                                    mov word ptr [004495B0h], ss
                                                                                                                                                                                                    mov word ptr [004495A4h], cs
                                                                                                                                                                                                    mov word ptr [00449580h], ds
                                                                                                                                                                                                    mov word ptr [0044957Ch], es
                                                                                                                                                                                                    mov word ptr [00449578h], fs
                                                                                                                                                                                                    mov word ptr [00449574h], gs
                                                                                                                                                                                                    pushfd
                                                                                                                                                                                                    pop dword ptr [004495A8h]
                                                                                                                                                                                                    mov eax, dword ptr [ebp+00h]
                                                                                                                                                                                                    mov dword ptr [0044959Ch], eax
                                                                                                                                                                                                    mov eax, dword ptr [ebp+04h]
                                                                                                                                                                                                    mov dword ptr [004495A0h], eax
                                                                                                                                                                                                    lea eax, dword ptr [ebp+08h]
                                                                                                                                                                                                    mov dword ptr [004495ACh], eax
                                                                                                                                                                                                    mov eax, dword ptr [ebp-00000320h]
                                                                                                                                                                                                    mov dword ptr [004494E8h], 00010001h
                                                                                                                                                                                                    mov eax, dword ptr [004495A0h]
                                                                                                                                                                                                    mov dword ptr [0044949Ch], eax
                                                                                                                                                                                                    mov dword ptr [00449490h], C0000409h
                                                                                                                                                                                                    mov dword ptr [00449494h], 00000001h
                                                                                                                                                                                                    mov eax, dword ptr [00448004h]
                                                                                                                                                                                                    mov dword ptr [ebp-00000328h], eax
                                                                                                                                                                                                    mov eax, dword ptr [00448008h]
                                                                                                                                                                                                    mov dword ptr [ebp-00000324h], eax
                                                                                                                                                                                                    call dword ptr [000000A0h]

                                                                                                                                                                                                    Rich Headers

                                                                                                                                                                                                    Programming Language:
                                                                                                                                                                                                    • [C++] VS2008 build 21022
                                                                                                                                                                                                    • [ASM] VS2008 build 21022
                                                                                                                                                                                                    • [ C ] VS2008 build 21022
                                                                                                                                                                                                    • [IMP] VS2005 build 50727
                                                                                                                                                                                                    • [RES] VS2008 build 21022
                                                                                                                                                                                                    • [LNK] VS2008 build 21022

                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x469cc0x28.rdata
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x16910.rsrc
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x450000x180.rdata
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                    Sections

                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                    .text0x10000x434ac0x4360048190401e81ce19ea6ec96bc59db1a25False0.8140726461038961data7.417548317236182IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                    .rdata0x450000x22560x240072ce39b3149097cbefcb296adbf957faFalse0.3556857638888889data5.372660528531387IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                    .data0x480000x67c080x16009af7e533758dc356dce02ec02265cbd8False0.28764204545454547data2.9016251877473156IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                    .nosu0xb00000x53e50x4800f9debe3f07be68533bf0295e3d2ba68aFalse0.002224392361111111data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                    .muwav0xb60000x15a0x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                    .roxah0xb70000xc0x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                    .rsrc0xb80000x169100x16a00cccc7f30bf1560adab3a1826d890d7d9False0.3672198722375691data4.481027497292891IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                    Resources

                                                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                    RT_CURSOR0xc8b580x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4276315789473684
                                                                                                                                                                                                    RT_CURSOR0xc8ca00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.31023454157782515
                                                                                                                                                                                                    RT_ICON0xb89000xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.26732409381663114
                                                                                                                                                                                                    RT_ICON0xb97a80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.4165162454873646
                                                                                                                                                                                                    RT_ICON0xba0500x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.5299539170506913
                                                                                                                                                                                                    RT_ICON0xba7180x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5773121387283237
                                                                                                                                                                                                    RT_ICON0xbac800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.4221991701244813
                                                                                                                                                                                                    RT_ICON0xbd2280x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.49631147540983606
                                                                                                                                                                                                    RT_ICON0xbdbb00x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.499113475177305
                                                                                                                                                                                                    RT_ICON0xbe0800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.32409381663113007
                                                                                                                                                                                                    RT_ICON0xbef280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.4481046931407942
                                                                                                                                                                                                    RT_ICON0xbf7d00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.5086405529953917
                                                                                                                                                                                                    RT_ICON0xbfe980x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5252890173410405
                                                                                                                                                                                                    RT_ICON0xc04000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.28846153846153844
                                                                                                                                                                                                    RT_ICON0xc14a80x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.2905737704918033
                                                                                                                                                                                                    RT_ICON0xc1e300x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.33687943262411346
                                                                                                                                                                                                    RT_ICON0xc23000xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.2822494669509595
                                                                                                                                                                                                    RT_ICON0xc31a80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.36823104693140796
                                                                                                                                                                                                    RT_ICON0xc3a500x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.3721198156682028
                                                                                                                                                                                                    RT_ICON0xc41180x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.3800578034682081
                                                                                                                                                                                                    RT_ICON0xc46800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.25746887966804977
                                                                                                                                                                                                    RT_ICON0xc6c280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.2767354596622889
                                                                                                                                                                                                    RT_ICON0xc7cd00x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.2913934426229508
                                                                                                                                                                                                    RT_ICON0xc86580x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.325354609929078
                                                                                                                                                                                                    RT_STRING0xc9d180x414data0.45689655172413796
                                                                                                                                                                                                    RT_STRING0xca1300xccdata0.5833333333333334
                                                                                                                                                                                                    RT_STRING0xca2000x534data0.45345345345345345
                                                                                                                                                                                                    RT_STRING0xca7380x548data0.44970414201183434
                                                                                                                                                                                                    RT_STRING0xcac800x75edata0.4247083775185578
                                                                                                                                                                                                    RT_STRING0xcb3e00x7d4data0.42115768463073855
                                                                                                                                                                                                    RT_STRING0xcbbb80x61edata0.4450830140485313
                                                                                                                                                                                                    RT_STRING0xcc1d80x4d4data0.46682847896440127
                                                                                                                                                                                                    RT_STRING0xcc6b00x6d4data0.4279176201372998
                                                                                                                                                                                                    RT_STRING0xccd880x698data0.4312796208530806
                                                                                                                                                                                                    RT_STRING0xcd4200x702data0.4258639910813824
                                                                                                                                                                                                    RT_STRING0xcdb280x662data0.44063647490820074
                                                                                                                                                                                                    RT_STRING0xce1900x77edata0.42179353493222105
                                                                                                                                                                                                    RT_ACCELERATOR0xc8b380x20data1.15625
                                                                                                                                                                                                    RT_GROUP_CURSOR0xc8c880x14data1.15
                                                                                                                                                                                                    RT_GROUP_CURSOR0xc9b480x14data1.25
                                                                                                                                                                                                    RT_GROUP_ICON0xbe0180x68data0.7115384615384616
                                                                                                                                                                                                    RT_GROUP_ICON0xc8ac00x76data0.6779661016949152
                                                                                                                                                                                                    RT_GROUP_ICON0xc22980x68data0.7115384615384616
                                                                                                                                                                                                    RT_VERSION0xc9b600x1b4data0.5825688073394495

                                                                                                                                                                                                    Imports

                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                    KERNEL32.dllSetThreadContext, DebugActiveProcessStop, CreateProcessW, SetWaitableTimer, GetConsoleAliasA, InterlockedDecrement, SetDefaultCommConfigW, GetEnvironmentStringsW, SetComputerNameW, GetProcessPriorityBoost, GetModuleHandleW, GetCurrentThread, SetFileTime, GetEnvironmentStrings, LoadLibraryW, GetVersionExW, GetTimeFormatW, GetAtomNameW, GetVolumePathNameA, GetStartupInfoW, GetStartupInfoA, SetLastError, GetProcAddress, GetLongPathNameA, SearchPathA, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, MoveFileA, AddAtomA, FoldStringA, OpenFileMappingW, FindFirstVolumeA, FindAtomW, DeleteTimerQueueTimer, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, WriteFile, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, Sleep, ExitProcess, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, VirtualAlloc, HeapReAlloc, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, SetFilePointer, SetStdHandle, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CreateFileA, CloseHandle, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, GetModuleHandleA

                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                    2025-01-12T17:41:02.297847+01002059088ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click)1192.168.2.5590301.1.1.153UDP
                                                                                                                                                                                                    2025-01-12T17:41:02.314679+01002059051ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)1192.168.2.5542771.1.1.153UDP
                                                                                                                                                                                                    2025-01-12T17:41:02.328758+01002059041ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)1192.168.2.5565041.1.1.153UDP
                                                                                                                                                                                                    2025-01-12T17:41:02.340299+01002059035ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)1192.168.2.5510081.1.1.153UDP
                                                                                                                                                                                                    2025-01-12T17:41:02.351535+01002059039ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)1192.168.2.5636291.1.1.153UDP
                                                                                                                                                                                                    2025-01-12T17:41:02.384654+01002059057ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)1192.168.2.5508871.1.1.153UDP
                                                                                                                                                                                                    2025-01-12T17:41:02.396471+01002059037ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)1192.168.2.5573011.1.1.153UDP
                                                                                                                                                                                                    2025-01-12T17:41:02.408856+01002059043ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)1192.168.2.5620421.1.1.153UDP
                                                                                                                                                                                                    2025-01-12T17:41:02.424055+01002059049ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)1192.168.2.5648641.1.1.153UDP
                                                                                                                                                                                                    2025-01-12T17:41:03.163545+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549704104.102.49.254443TCP
                                                                                                                                                                                                    2025-01-12T17:41:03.622577+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.549704104.102.49.254443TCP

                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.493490934 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.493534088 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.493597984 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.495126963 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.495143890 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.163386106 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.163544893 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.181324959 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.181361914 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.182420015 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.234380960 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.279320955 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.622725010 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.622787952 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.622807980 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.622848034 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.622865915 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.622948885 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.622968912 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.622993946 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.623017073 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.708157063 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.708223104 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.708374977 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.708379030 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.708379030 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.708420038 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.710279942 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.710297108 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.710306883 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                    Jan 12, 2025 17:41:03.710310936 CET44349704104.102.49.254192.168.2.5

                                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.297847033 CET5903053192.168.2.51.1.1.1
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.308234930 CET53590301.1.1.1192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.314678907 CET5427753192.168.2.51.1.1.1
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.325310946 CET53542771.1.1.1192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.328758001 CET5650453192.168.2.51.1.1.1
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.338675022 CET53565041.1.1.1192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.340298891 CET5100853192.168.2.51.1.1.1
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.349333048 CET53510081.1.1.1192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.351535082 CET6362953192.168.2.51.1.1.1
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.360780954 CET53636291.1.1.1192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.384654045 CET5088753192.168.2.51.1.1.1
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.391916037 CET53508871.1.1.1192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.396471024 CET5730153192.168.2.51.1.1.1
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.405802965 CET53573011.1.1.1192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.408855915 CET6204253192.168.2.51.1.1.1
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.417958021 CET53620421.1.1.1192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.424055099 CET6486453192.168.2.51.1.1.1
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.434585094 CET53648641.1.1.1192.168.2.5
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.438432932 CET5673853192.168.2.51.1.1.1
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.445069075 CET53567381.1.1.1192.168.2.5

                                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.297847033 CET192.168.2.51.1.1.10xa1e5Standard query (0)skidjazzyric.clickA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.314678907 CET192.168.2.51.1.1.10xddbcStandard query (0)soundtappysk.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.328758001 CET192.168.2.51.1.1.10x9fdbStandard query (0)femalsabler.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.340298891 CET192.168.2.51.1.1.10xc21dStandard query (0)apporholis.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.351535082 CET192.168.2.51.1.1.10x1b1Standard query (0)crowdwarek.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.384654045 CET192.168.2.51.1.1.10xf0f2Standard query (0)versersleep.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.396471024 CET192.168.2.51.1.1.10x8e68Standard query (0)chipdonkeruz.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.408855915 CET192.168.2.51.1.1.10x749dStandard query (0)handscreamny.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.424055099 CET192.168.2.51.1.1.10xe641Standard query (0)robinsharez.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.438432932 CET192.168.2.51.1.1.10xf38bStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.308234930 CET1.1.1.1192.168.2.50xa1e5Name error (3)skidjazzyric.clicknonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.325310946 CET1.1.1.1192.168.2.50xddbcName error (3)soundtappysk.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.338675022 CET1.1.1.1192.168.2.50x9fdbName error (3)femalsabler.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.349333048 CET1.1.1.1192.168.2.50xc21dName error (3)apporholis.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.360780954 CET1.1.1.1192.168.2.50x1b1Name error (3)crowdwarek.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.391916037 CET1.1.1.1192.168.2.50xf0f2Name error (3)versersleep.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.405802965 CET1.1.1.1192.168.2.50x8e68Name error (3)chipdonkeruz.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.417958021 CET1.1.1.1192.168.2.50x749dName error (3)handscreamny.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.434585094 CET1.1.1.1192.168.2.50xe641Name error (3)robinsharez.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Jan 12, 2025 17:41:02.445069075 CET1.1.1.1192.168.2.50xf38bNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false

                                                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                                                    • steamcommunity.com

                                                                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                    0192.168.2.549704104.102.49.2544431520C:\Users\user\Desktop\TBI87y49f9.exe
                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                    2025-01-12 16:41:03 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                    Host: steamcommunity.com
                                                                                                                                                                                                    2025-01-12 16:41:03 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                    Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                                    Date: Sun, 12 Jan 2025 16:41:03 GMT
                                                                                                                                                                                                    Content-Length: 25665
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Set-Cookie: sessionid=50416a7e87dd6a708f4e611b; Path=/; Secure; SameSite=None
                                                                                                                                                                                                    Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                    2025-01-12 16:41:03 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                    Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                    2025-01-12 16:41:03 UTC11186INData Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
                                                                                                                                                                                                    Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>


                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                    Start time:11:40:58
                                                                                                                                                                                                    Start date:12/01/2025
                                                                                                                                                                                                    Path:C:\Users\user\Desktop\TBI87y49f9.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\TBI87y49f9.exe"
                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                    File size:403'968 bytes
                                                                                                                                                                                                    MD5 hash:08494E6A1E788EA3259955A4524FDFEC
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2286759984.0000000000793000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:4
                                                                                                                                                                                                    Start time:11:41:03
                                                                                                                                                                                                    Start date:12/01/2025
                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1668
                                                                                                                                                                                                    Imagebase:0x2f0000
                                                                                                                                                                                                    File size:483'680 bytes
                                                                                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                      Execution Coverage:1.5%
                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:32.3%
                                                                                                                                                                                                      Signature Coverage:32.3%
                                                                                                                                                                                                      Total number of Nodes:96
                                                                                                                                                                                                      Total number of Limit Nodes:7
                                                                                                                                                                                                      execution_graph 26275 408880 26277 40888f 26275->26277 26276 408ab5 ExitProcess 26277->26276 26278 4088a4 GetCurrentProcessId GetCurrentThreadId 26277->26278 26285 408a9e 26277->26285 26279 4088ca 26278->26279 26280 4088ce SHGetSpecialFolderPathW GetForegroundWindow 26278->26280 26279->26280 26282 408974 26280->26282 26287 43eb20 26282->26287 26284 4089cf 26284->26285 26290 40ba80 FreeLibrary FreeLibrary 26284->26290 26291 440240 FreeLibrary 26285->26291 26292 441850 26287->26292 26289 43eb2a RtlAllocateHeap 26289->26284 26290->26285 26291->26276 26293 441870 26292->26293 26293->26289 26293->26293 26299 40ab12 26300 40ab22 26299->26300 26301 40ab3d WSAStartup 26300->26301 26302 443190 26303 4431b0 26302->26303 26304 443298 26303->26304 26306 4402c0 LdrInitializeThunk 26303->26306 26306->26304 26307 4434d0 26308 4434e9 26307->26308 26309 44350f 26307->26309 26308->26309 26313 4402c0 LdrInitializeThunk 26308->26313 26311 443538 26311->26309 26314 4402c0 LdrInitializeThunk 26311->26314 26313->26311 26314->26309 26315 4404b1 GetForegroundWindow 26316 4404ce 26315->26316 26322 440cde 26323 440ce8 26322->26323 26325 440dae 26323->26325 26328 4402c0 LdrInitializeThunk 26323->26328 26327 4402c0 LdrInitializeThunk 26325->26327 26327->26325 26328->26325 26329 40a69b 26330 40a770 26329->26330 26330->26330 26335 40b2b0 26330->26335 26332 40a7b9 26333 40b2b0 3 API calls 26332->26333 26334 40a8d9 26333->26334 26336 40b340 26335->26336 26336->26336 26338 40b365 26336->26338 26339 440260 26336->26339 26338->26332 26340 4402a5 26339->26340 26341 440278 26339->26341 26342 44029a 26339->26342 26343 440286 26339->26343 26348 43eb40 26340->26348 26341->26340 26341->26343 26344 43eb20 RtlAllocateHeap 26342->26344 26346 44028b RtlReAllocateHeap 26343->26346 26347 4402a0 26344->26347 26346->26347 26347->26336 26349 43eb53 26348->26349 26350 43eb55 26348->26350 26349->26347 26351 43eb5a RtlFreeHeap 26350->26351 26351->26347 26352 4409b8 26354 4409d0 26352->26354 26353 440a8e 26355 440a3e 26354->26355 26358 4402c0 LdrInitializeThunk 26354->26358 26355->26353 26359 4402c0 LdrInitializeThunk 26355->26359 26358->26355 26359->26353 26360 980005 26365 98092b GetPEB 26360->26365 26362 980030 26366 98003c 26362->26366 26365->26362 26367 980049 26366->26367 26381 980e0f SetErrorMode SetErrorMode 26367->26381 26372 980265 26373 9802ce VirtualProtect 26372->26373 26375 98030b 26373->26375 26374 980439 VirtualFree 26376 9805f4 LoadLibraryA 26374->26376 26380 9804be 26374->26380 26375->26374 26379 9808c7 26376->26379 26377 9804e3 LoadLibraryA 26377->26380 26380->26376 26380->26377 26382 980223 26381->26382 26383 980d90 26382->26383 26384 980dad 26383->26384 26385 980dbb GetPEB 26384->26385 26386 980238 VirtualAlloc 26384->26386 26385->26386 26386->26372 26294 4406eb 26295 44070c 26294->26295 26296 44072e 26294->26296 26295->26296 26298 4402c0 LdrInitializeThunk 26295->26298 26298->26296 26387 793626 26388 793635 26387->26388 26391 793dc6 26388->26391 26393 793de1 26391->26393 26392 793dea CreateToolhelp32Snapshot 26392->26393 26394 793e06 Module32First 26392->26394 26393->26392 26393->26394 26395 793e15 26394->26395 26397 79363e 26394->26397 26398 793a85 26395->26398 26399 793ab0 26398->26399 26400 793af9 26399->26400 26401 793ac1 VirtualAlloc 26399->26401 26400->26400 26401->26400

                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                      Function 00408880 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180threadCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 004088A4
                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 004088AE
                                                                                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408955
                                                                                                                                                                                                      • GetForegroundWindow.USER32 ref: 0040896A
                                                                                                                                                                                                      • ExitProcess.KERNEL32 ref: 00408AB7
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                                                                                                                                      • String ID: 6W01
                                                                                                                                                                                                      • API String ID: 4063528623-326071965
                                                                                                                                                                                                      • Opcode ID: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
                                                                                                                                                                                                      • Instruction ID: 68999dc676c32329d0dd7cdb3a03855c51f4a57e0b82bf1efaa177e53c028fce
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A0516A73B443040BD328EF659C46356BA879BC5314F0AC13EA985BB7E2ED78980586CA
                                                                                                                                                                                                      Function 0040B2B0 Relevance: 9.3, Strings: 7, Instructions: 518COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 119 40b2b0-40b338 120 40b340-40b349 119->120 120->120 121 40b34b-40b35e 120->121 123 40b700-40b74a 121->123 124 40b661-40b6ab call 408040 121->124 125 40b6b4-40b6ff 121->125 126 40b365-40b367 121->126 127 40b658-40b65c 121->127 128 40b36c-40b5a5 121->128 138 40b750-40b757 123->138 124->125 125->123 129 40ba61-40ba67 126->129 131 40ba52-40ba5e 127->131 130 40b5b0-40b635 128->130 134 40ba70 129->134 130->130 135 40b63b-40b646 130->135 131->129 139 40b64a-40b651 135->139 138->134 140 40ba00 138->140 141 40b804-40b80b 138->141 142 40b904-40b908 138->142 143 40b7c5 138->143 144 40ba06-40ba0a 138->144 145 40ba49 138->145 146 40b7cb-40b7d1 138->146 147 40b80d-40b81f 138->147 148 40b90d-40b92d 138->148 149 40b94d-40b954 138->149 150 40b990-40b994 138->150 151 40ba11-40ba16 138->151 152 40b9d8-40b9f4 138->152 153 40b95b-40b970 call 441c40 138->153 154 40b8dc-40b8e6 138->154 155 40ba1d 138->155 156 40b75e-40b76c 138->156 157 40b7e0-40b7e6 138->157 158 40b7a0-40b7bd call 441c40 138->158 159 40ba23-40ba30 138->159 160 40b9a3-40b9b5 138->160 161 40b8ed-40b902 call 441c40 138->161 162 40b7ef-40b7fd 138->162 163 40b972-40b976 138->163 164 40ba72-40ba79 138->164 165 40b773 138->165 166 40b934-40b946 138->166 167 40ba35-40ba38 138->167 168 40b779-40b794 call 441c40 138->168 169 40b97b-40b984 138->169 170 40b9bc-40b9c2 call 440260 138->170 171 40b9fd-40b9ff 138->171 139->123 139->124 139->125 139->127 139->138 139->140 139->141 139->142 139->143 139->144 139->146 139->147 139->148 139->149 139->150 139->151 139->152 139->153 139->154 139->155 139->156 139->157 139->159 139->160 139->161 139->162 139->163 139->166 139->167 139->169 139->170 139->171 178 40b83c-40b867 141->178 173 40ba3f-40ba42 142->173 143->146 144->134 144->142 144->145 144->151 144->153 144->155 144->158 144->161 144->163 144->164 144->165 144->167 144->168 145->131 146->157 179 40b820-40b834 147->179 148->134 148->140 148->142 148->144 148->145 148->149 148->150 148->151 148->152 148->153 148->155 148->158 148->159 148->160 148->161 148->163 148->164 148->165 148->166 148->167 148->168 148->169 148->170 148->171 149->134 149->142 149->145 149->153 149->158 149->161 149->163 149->164 149->165 149->168 188 40b99d 150->188 151->134 151->142 151->145 151->153 151->155 151->158 151->161 151->163 151->164 151->165 151->167 151->168 152->171 153->163 154->134 154->142 154->145 154->158 154->161 154->164 154->165 154->168 156->134 156->145 156->158 156->164 156->165 156->168 157->162 158->143 159->150 160->134 160->140 160->142 160->144 160->145 160->151 160->152 160->153 160->155 160->158 160->161 160->163 160->164 160->165 160->167 160->168 160->170 160->171 161->142 162->134 162->140 162->141 162->142 162->144 162->145 162->147 162->148 162->149 162->150 162->151 162->152 162->153 162->154 162->155 162->158 162->159 162->160 162->161 162->163 162->164 162->165 162->166 162->167 162->168 162->169 162->170 162->171 163->167 166->134 166->140 166->142 166->144 166->145 166->149 166->150 166->151 166->152 166->153 166->155 166->158 166->159 166->160 166->161 166->163 166->164 166->165 166->167 166->168 166->169 166->170 166->171 167->173 168->158 169->150 191 40b9c7-40b9d1 170->191 171->140 173->145 190 40b870-40b8b6 178->190 179->179 189 40b836-40b839 179->189 188->160 189->178 190->190 192 40b8b8-40b8d5 190->192 191->134 191->140 191->142 191->144 191->145 191->151 191->152 191->153 191->155 191->158 191->161 191->163 191->164 191->165 191->167 191->168 191->171 192->134 192->140 192->142 192->144 192->145 192->148 192->149 192->150 192->151 192->152 192->153 192->154 192->155 192->158 192->159 192->160 192->161 192->163 192->164 192->165 192->166 192->167 192->168 192->169 192->170 192->171
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 6C(]$?_oY$@w@q$Bc*}$K{Du$`/()$fWpQ
                                                                                                                                                                                                      • API String ID: 0-74227037
                                                                                                                                                                                                      • Opcode ID: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
                                                                                                                                                                                                      • Instruction ID: 6cbb9b4a16d706e95eb7c5eb543f19fb0438a443f67131002351f3f2f8f3bf58
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA1299B5205B01CFD324CF25D891B97BBF6FB45314F058A2DD5AA8BAA0DB74A406CF84
                                                                                                                                                                                                      Function 00793DC6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 233 793dc6-793ddf 234 793de1-793de3 233->234 235 793dea-793df6 CreateToolhelp32Snapshot 234->235 236 793de5 234->236 237 793df8-793dfe 235->237 238 793e06-793e13 Module32First 235->238 236->235 237->238 243 793e00-793e04 237->243 239 793e1c-793e24 238->239 240 793e15-793e16 call 793a85 238->240 244 793e1b 240->244 243->234 243->238 244->239
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00793DEE
                                                                                                                                                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 00793E0E
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286759984.0000000000793000.00000040.00000020.00020000.00000000.sdmp, Offset: 00793000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_793000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3833638111-0
                                                                                                                                                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                      • Instruction ID: be88c2cb3288e836bde8e760933015c3f9d0c7a0da1a47bb660f8300f1f6c2ff
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 09F06235200711ABDB207AF5A88DB6A7AF8EF49725F100668E642950C0DB74E9454661
                                                                                                                                                                                                      Function 0040AA32 Relevance: 2.6, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 271 40aa32-40aa35 272 40aa82 271->272 273 40aa37-40aa5f 271->273 274 40aa60-40aa72 273->274 274->274 275 40aa74-40aa7b 274->275 278 40aa00-40aa12 275->278 278->278 279 40aa14-40aa2e 278->279
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: MO$MO
                                                                                                                                                                                                      • API String ID: 0-3148518880
                                                                                                                                                                                                      • Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
                                                                                                                                                                                                      • Instruction ID: de3bae81b745c0a1c58d0910fc7dee7dc7ce1027ddf7ad09ed428793afe2e5a8
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB119E742443818BEF148F649D916677FA0EF42320B2499A99C455F3CBC638C511CF69
                                                                                                                                                                                                      Function 004402C0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 307 4402c0-4402f2 LdrInitializeThunk
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • LdrInitializeThunk.NTDLL(0044316E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                      • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                      • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                      Function 0098003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 0 98003c-980047 1 980049 0->1 2 98004c-980263 call 980a3f call 980e0f call 980d90 VirtualAlloc 0->2 1->2 17 98028b-980292 2->17 18 980265-980289 call 980a69 2->18 20 9802a1-9802b0 17->20 22 9802ce-9803c2 VirtualProtect call 980cce call 980ce7 18->22 20->22 23 9802b2-9802cc 20->23 29 9803d1-9803e0 22->29 23->20 30 980439-9804b8 VirtualFree 29->30 31 9803e2-980437 call 980ce7 29->31 33 9804be-9804cd 30->33 34 9805f4-9805fe 30->34 31->29 36 9804d3-9804dd 33->36 37 98077f-980789 34->37 38 980604-98060d 34->38 36->34 42 9804e3-980505 LoadLibraryA 36->42 40 98078b-9807a3 37->40 41 9807a6-9807b0 37->41 38->37 43 980613-980637 38->43 40->41 44 98086e-9808be LoadLibraryA 41->44 45 9807b6-9807cb 41->45 46 980517-980520 42->46 47 980507-980515 42->47 48 98063e-980648 43->48 52 9808c7-9808f9 44->52 49 9807d2-9807d5 45->49 50 980526-980547 46->50 47->50 48->37 51 98064e-98065a 48->51 53 980824-980833 49->53 54 9807d7-9807e0 49->54 55 98054d-980550 50->55 51->37 56 980660-98066a 51->56 57 9808fb-980901 52->57 58 980902-98091d 52->58 64 980839-98083c 53->64 59 9807e2 54->59 60 9807e4-980822 54->60 61 9805e0-9805ef 55->61 62 980556-98056b 55->62 63 98067a-980689 56->63 57->58 59->53 60->49 61->36 65 98056d 62->65 66 98056f-98057a 62->66 67 98068f-9806b2 63->67 68 980750-98077a 63->68 64->44 69 98083e-980847 64->69 65->61 71 98059b-9805bb 66->71 72 98057c-980599 66->72 73 9806ef-9806fc 67->73 74 9806b4-9806ed 67->74 68->48 75 980849 69->75 76 98084b-98086c 69->76 83 9805bd-9805db 71->83 72->83 77 98074b 73->77 78 9806fe-980748 73->78 74->73 75->44 76->64 77->63 78->77 83->55
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0098024D
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                                                      • String ID: cess$kernel32.dll
                                                                                                                                                                                                      • API String ID: 4275171209-1230238691
                                                                                                                                                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                      • Instruction ID: f6b099ca74b8762beffdc98c6061d2e41b751e78b578cd37a8b5982c0e725a0e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 64527974A01229DFDBA4CF58C984BA8BBB1BF49304F1480D9E54DAB351DB34AE88DF14
                                                                                                                                                                                                      Function 00980E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 246 980e0f-980e24 SetErrorMode * 2 247 980e2b-980e2c 246->247 248 980e26 246->248 248->247
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,00980223,?,?), ref: 00980E19
                                                                                                                                                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,00980223,?,?), ref: 00980E1E
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ErrorMode
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2340568224-0
                                                                                                                                                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                      • Instruction ID: 9babd65add41787fb28cde530e85498eb8af6e9ca6adf2efde711e6f51a07407
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 77D0123114512877D7403A94DC09BCE7B1CDF05B62F008411FB0DDA181C770994047E5
                                                                                                                                                                                                      Function 00440260 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 281 440260-440271 282 4402a5-4402a6 call 43eb40 281->282 283 440286-440298 call 441850 RtlReAllocateHeap 281->283 284 440278-44027f 281->284 285 44029a-4402a3 call 43eb20 281->285 291 4402ab-4402ae 282->291 292 4402b0-4402b2 283->292 284->282 284->283 285->292 291->292
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B9C7,00000000,00000001), ref: 00440292
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                                                      • Opcode ID: e3ca6a36a028ff54866f16376779860b9096701dd45936173a9f18f59b7a354d
                                                                                                                                                                                                      • Instruction ID: c7e132dbbf166c87dd4ca7ba8e526d96017081e21b1d4d371130b4eff19db060
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e3ca6a36a028ff54866f16376779860b9096701dd45936173a9f18f59b7a354d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C3E02B32404310ABD2026F397C06B177674EFC6715F05087AF50156151DB38F811C5DE
                                                                                                                                                                                                      Function 0040AB12 Relevance: 1.5, APIs: 1, Instructions: 20networkCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 293 40ab12-40ab5b call 441c40 * 2 WSAStartup
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • WSAStartup.WS2_32(00000202), ref: 0040AB46
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Startup
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 724789610-0
                                                                                                                                                                                                      • Opcode ID: b187d8107ffde8e05c7d0a09cdfc1bb296f851924af62c815b9bdc52e44f9908
                                                                                                                                                                                                      • Instruction ID: 8daa5b18d499817a70b2f557c0c6df6f58e6f2abf740e83111143c9212bc1643
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b187d8107ffde8e05c7d0a09cdfc1bb296f851924af62c815b9bdc52e44f9908
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0AE02B7A5D5104BBF2486751FD4FC563616BB4330AB08413DFC185017BD6511426C66A
                                                                                                                                                                                                      Function 0043EB40 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 299 43eb40-43eb4c 300 43eb53-43eb54 299->300 301 43eb55-43eb67 call 441850 RtlFreeHeap 299->301
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(?,00000000,?,004402AB,?,0040B9C7,00000000,00000001), ref: 0043EB60
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3298025750-0
                                                                                                                                                                                                      • Opcode ID: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
                                                                                                                                                                                                      • Instruction ID: 6306fd139b63709815d779222b474fbda691f96f30962fae2caf2063fc0eb5d0
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FDD0C931445536FBC6102F28BC06BCB3B94EF497A5F0708A5F540AA075E725DC918AD8
                                                                                                                                                                                                      Function 004404B1 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 304 4404b1-4404c9 GetForegroundWindow call 4421e0 306 4404ce-4404e8 304->306
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetForegroundWindow.USER32 ref: 004404BF
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ForegroundWindow
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2020703349-0
                                                                                                                                                                                                      • Opcode ID: ac82542d7ead4e5736e61cdedea6fc5be5df443e6220e35db9291a32a896b3cb
                                                                                                                                                                                                      • Instruction ID: 7f86c14d6ce35f706de72b94d0a04e46592ace6e5707a2a12f6891b8fa8e10aa
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ac82542d7ead4e5736e61cdedea6fc5be5df443e6220e35db9291a32a896b3cb
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15E0E2B9900214DBEB44CF68FC9592933B5EB8B3093040439E202C3362EA34E602CF59
                                                                                                                                                                                                      Function 0043EB20 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 308 43eb20-43eb37 call 441850 RtlAllocateHeap
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(?,00000000,?,E931068D,004089CF,6W01), ref: 0043EB30
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                                                      • Opcode ID: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
                                                                                                                                                                                                      • Instruction ID: faa30900258afa928b287b4fa720072893bcbdc8cd762d9751037a3417221d58
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 91C04C31045120ABD5506B15EC05BC63B54DF852A5F020065B105660718660ACC2C698
                                                                                                                                                                                                      Function 00793A85 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00793AD6
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286759984.0000000000793000.00000040.00000020.00020000.00000000.sdmp, Offset: 00793000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_793000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                      • Instruction ID: cbc396b856c65149d46034890da21dbf3ecdbaa3a97734dc7fc67cc87be2f2bb
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3F113C79A00208EFDB01DF98C989E98BFF5AF08751F0580A4F9489B362D375EA50DF90

                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                      Function 00423EFF Relevance: 70.4, Strings: 56, Instructions: 350COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: &$&$($-$/$0$0$1$1$2$4$7$8$:$>$>$?$?$@$@$A$B$D$F$H$J$L$N$N$Q$V$X$\$^$`$b$d$f$f$h$h$j$l$n$n$p$q$r$t$v$x$x$z$|$}$~
                                                                                                                                                                                                      • API String ID: 0-1862720121
                                                                                                                                                                                                      • Opcode ID: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
                                                                                                                                                                                                      • Instruction ID: 27bd2a0d4c2ee2dbe7fab43400867feab0dee6ac78a78b22b0fd1ff9dbe20428
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 45026021D087D989DB22C67C8C483CDBFA11B63324F4843EDD5E86B3D6D6B90946CB66
                                                                                                                                                                                                      Function 009A4166 Relevance: 70.4, Strings: 56, Instructions: 350COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: &$&$($-$/$0$0$1$1$2$4$7$8$:$>$>$?$?$@$@$A$B$D$F$H$J$L$N$N$Q$V$X$\$^$`$b$d$f$f$h$h$j$l$n$n$p$q$r$t$v$x$x$z$|$}$~
                                                                                                                                                                                                      • API String ID: 0-1862720121
                                                                                                                                                                                                      • Opcode ID: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
                                                                                                                                                                                                      • Instruction ID: 7375c30724d2d988a25d340f4ac3ee68e084974b79566601f808c945b21be343
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02025121D087D989DB22C67C8C483DDBFA11B63324F1883DDD1E86B3D6D6B94546CB62
                                                                                                                                                                                                      Function 0043A4EF Relevance: 55.3, Strings: 44, Instructions: 311COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: %$+$0$3$9$:$<$=$>$A$C$D$E$G$H/}$I$K$L$M$a$a$c$c$e$e$g$g$i$i$k$k$m$m$n$o$o$q$s$u$w$x$y${$}
                                                                                                                                                                                                      • API String ID: 0-3913017395
                                                                                                                                                                                                      • Opcode ID: 64b6cdda28aa021313f1cbb0850f2494ccdc33704329f9a8e3918c3b304d7149
                                                                                                                                                                                                      • Instruction ID: 5a335782380f72e06434a0b7d1c84293c6c1cbd051fad8399b30b8532d7f13f9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 64b6cdda28aa021313f1cbb0850f2494ccdc33704329f9a8e3918c3b304d7149
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0EF170319086E98ADB22C63C8C443DDBFB15B56324F0847D9D0A96B3D2C7794F86CB66
                                                                                                                                                                                                      Function 009BA756 Relevance: 55.3, Strings: 44, Instructions: 311COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: %$+$0$3$9$:$<$=$>$A$C$D$E$G$H/}$I$K$L$M$a$a$c$c$e$e$g$g$i$i$k$k$m$m$n$o$o$q$s$u$w$x$y${$}
                                                                                                                                                                                                      • API String ID: 0-3913017395
                                                                                                                                                                                                      • Opcode ID: 0e20f868d951b71e29e37dcac279c8b11e3bc4ef153ff36d24d69365c9a94d1d
                                                                                                                                                                                                      • Instruction ID: 965a3a384fda5427e51452f223e7221920f0d5a0febbaca56ed62c09745d1ba9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0e20f868d951b71e29e37dcac279c8b11e3bc4ef153ff36d24d69365c9a94d1d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 67F161319086E98ADB32C63C8C443DDBFA15B52324F0847D9D0A96B3D2C7754F86CB62
                                                                                                                                                                                                      Function 00439923 Relevance: 51.6, Strings: 41, Instructions: 391COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: $$*$-$1$2$4$5$7$<$=$=$=$F$F$G$H$H/}$I$O$S$S$T$U$Y$Z$]$_$c$e$f$i$i$j$j$r$s$t$w$x${$~
                                                                                                                                                                                                      • API String ID: 0-3598092864
                                                                                                                                                                                                      • Opcode ID: 9858d768ba85f4fc7c06e0a387e2414925c75b509ec035ed4b4a87323aee9e67
                                                                                                                                                                                                      • Instruction ID: be7a992d2d4842197a1748c1c2319ac7c28ec811ade833faf29c06d267706092
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9858d768ba85f4fc7c06e0a387e2414925c75b509ec035ed4b4a87323aee9e67
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E8224F219087EA89DB32C67C8C483CDBFA15B67224F1843D9D4F86B3D6C7750A46CB66
                                                                                                                                                                                                      Function 009B9B8A Relevance: 51.6, Strings: 41, Instructions: 391COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: $$*$-$1$2$4$5$7$<$=$=$=$F$F$G$H$H/}$I$O$S$S$T$U$Y$Z$]$_$c$e$f$i$i$j$j$r$s$t$w$x${$~
                                                                                                                                                                                                      • API String ID: 0-3598092864
                                                                                                                                                                                                      • Opcode ID: c3789e24d09f43a8b0542d61fba22105114c5098dcea2457330ee2163c950db7
                                                                                                                                                                                                      • Instruction ID: f46a388d4980843ef8e1e3b1320d354bc2fd7d75cbea779ddd9b97303ae75976
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c3789e24d09f43a8b0542d61fba22105114c5098dcea2457330ee2163c950db7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A7225D219087EA89DB32C67C8C487CDBEA15B67234F1843D9D4F86B3D2C7750A46CB66
                                                                                                                                                                                                      Function 0043B870 Relevance: 35.9, APIs: 10, Strings: 10, Instructions: 880memorycomCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • CoCreateInstance.OLE32(CDCCD3E7,00000000,00000001,?,00000000), ref: 0043BCCC
                                                                                                                                                                                                      • SysAllocString.OLEAUT32(37C935C6), ref: 0043BD46
                                                                                                                                                                                                      • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043BD84
                                                                                                                                                                                                      • SysAllocString.OLEAUT32(37C935C6), ref: 0043BDE9
                                                                                                                                                                                                      • SysAllocString.OLEAUT32(37C935C6), ref: 0043BED0
                                                                                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 0043BF3E
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AllocString$BlanketCreateInitInstanceProxyVariant
                                                                                                                                                                                                      • String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
                                                                                                                                                                                                      • API String ID: 65563702-2807872674
                                                                                                                                                                                                      • Opcode ID: b9f6e505c8dc3f742046bcb89f644a5fe799d125bb799c1c1616f98f374443e3
                                                                                                                                                                                                      • Instruction ID: 0fa8c84a7900d0f22f2d4f21e88135ff08406c7ea1f94cba9a5970d36c475c8e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b9f6e505c8dc3f742046bcb89f644a5fe799d125bb799c1c1616f98f374443e3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 735202726083408BD714CF68C88176BFBE1EF89314F189A2EE5D597391D778D806CB96
                                                                                                                                                                                                      Function 009BBAD7 Relevance: 32.4, APIs: 8, Strings: 10, Instructions: 880memorycomCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • CoCreateInstance.COMBASE(CDCCD3E7,00000000,00000001,?,00000000), ref: 009BBF33
                                                                                                                                                                                                      • SysAllocString.OLEAUT32(37C935C6), ref: 009BBFAD
                                                                                                                                                                                                      • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 009BBFEB
                                                                                                                                                                                                      • SysAllocString.OLEAUT32(37C935C6), ref: 009BC050
                                                                                                                                                                                                      • SysAllocString.OLEAUT32(37C935C6), ref: 009BC137
                                                                                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 009BC1A5
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AllocString$BlanketCreateInitInstanceProxyVariant
                                                                                                                                                                                                      • String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
                                                                                                                                                                                                      • API String ID: 65563702-2807872674
                                                                                                                                                                                                      • Opcode ID: 9f1f51344e39299604904236268e70905638ee0f88f663c1ee43faa23c8ba667
                                                                                                                                                                                                      • Instruction ID: 72152f89623e0c1f3df4d2d113066677439d2efb5bbbf5b3d39e4bfaf5aa9ee8
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9f1f51344e39299604904236268e70905638ee0f88f663c1ee43faa23c8ba667
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BF52FF726083408BD724CF28C9917AFBBE5EFC5324F188A2DE5959B391D778D806CB52
                                                                                                                                                                                                      Function 00436980 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 230windowCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetDC.USER32(00000000), ref: 00436989
                                                                                                                                                                                                      • GetSystemMetrics.USER32(0000004C), ref: 00436999
                                                                                                                                                                                                      • GetSystemMetrics.USER32(0000004D), ref: 004369A1
                                                                                                                                                                                                      • GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
                                                                                                                                                                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
                                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 004369C1
                                                                                                                                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 004369D0
                                                                                                                                                                                                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
                                                                                                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 004369E7
                                                                                                                                                                                                      • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelect
                                                                                                                                                                                                      • String ID: Y
                                                                                                                                                                                                      • API String ID: 1298755333-3233089245
                                                                                                                                                                                                      • Opcode ID: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
                                                                                                                                                                                                      • Instruction ID: ce6842184c50d62c14bce23637ee5c5f438d7dfa952fd3edf86735d4080956a5
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4A81C33A158310EFD7489FB4AC49A3B7BA5FB8A352F050C3CF546D2290C73995168B2B
                                                                                                                                                                                                      Function 004367F0 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 109clipboardCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                                                                                                                      • String ID: @$B$C$E$F$K$N$O$t${$}
                                                                                                                                                                                                      • API String ID: 2832541153-984153585
                                                                                                                                                                                                      • Opcode ID: bcc03291c71dc1ac25c6e95f0924d253445351a4da78695e986e918d99809bc9
                                                                                                                                                                                                      • Instruction ID: d12379fae56aa42f0d26b1a9ba346e1c7749dd96ee15ae9ce42ccc61be201c2c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bcc03291c71dc1ac25c6e95f0924d253445351a4da78695e986e918d99809bc9
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 65418FB050C3818ED301EF78D58931FBFE0AF96318F05492EE4C996292D67D8549CBAB
                                                                                                                                                                                                      Function 00425100 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 480COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 004251AA
                                                                                                                                                                                                      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00425243
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                      • String ID: +$e$+$e$%\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f$XY$]RB
                                                                                                                                                                                                      • API String ID: 237503144-2846770461
                                                                                                                                                                                                      • Opcode ID: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
                                                                                                                                                                                                      • Instruction ID: b6d59b0557f70d7ec2d4011febfa6e18cf4a5b2df19338a98cc8181bc2575411
                                                                                                                                                                                                      • Opcode Fuzzy Hash: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E7F1EDB4208350DFD310DF69E89166BBBE0FFC5314F54892DE5958B362E7B88906CB46
                                                                                                                                                                                                      Function 00425D6A Relevance: 17.0, Strings: 13, Instructions: 778COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$H/}$T`Sf$Wdz$&$$qs$uVw
                                                                                                                                                                                                      • API String ID: 0-622641942
                                                                                                                                                                                                      • Opcode ID: dbc9d13701a6f1f84a1fbda366b061da39485b638189b278c3f43e1cc0e4d0b6
                                                                                                                                                                                                      • Instruction ID: c261d025133841230159ca5431fd9423a817dc7e9349410c690f11e8db15d26c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: dbc9d13701a6f1f84a1fbda366b061da39485b638189b278c3f43e1cc0e4d0b6
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA7283B4A05269CFDB24CF55D881BDDBBB2FB46300F1181E9C5496B362DB349A86CF84
                                                                                                                                                                                                      Function 00419840 Relevance: 16.7, APIs: 2, Strings: 7, Instructions: 936COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?), ref: 00419CE7
                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?), ref: 00419D24
                                                                                                                                                                                                        • Part of subcall function 004402C0: LdrInitializeThunk.NTDLL(0044316E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FreeLibrary$InitializeThunk
                                                                                                                                                                                                      • String ID: ~|$H/}$SP$if$pv$tj$vt
                                                                                                                                                                                                      • API String ID: 764372645-4105560157
                                                                                                                                                                                                      • Opcode ID: e0b58ed5ff15dc801148dc9f86a9132d6192a83ea1caeaa00bd99fa001171b69
                                                                                                                                                                                                      • Instruction ID: c1c817f51924b2b6e01bbc71c3bfe870e6f9d21007064de5033cd7ab66586395
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e0b58ed5ff15dc801148dc9f86a9132d6192a83ea1caeaa00bd99fa001171b69
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D624770609310AFE724CB15DC9176BB7E2EFC5314F18862DF495973A1D378AC858B4A
                                                                                                                                                                                                      Function 00999AA7 Relevance: 16.7, APIs: 2, Strings: 7, Instructions: 936COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                      • String ID: ~|$H/}$SP$if$pv$tj$vt
                                                                                                                                                                                                      • API String ID: 3664257935-4105560157
                                                                                                                                                                                                      • Opcode ID: 557abf3bdc5e1b4c31fa4c16cb7a998475db0352c266ee35ae4fbd844e0422db
                                                                                                                                                                                                      • Instruction ID: b4bd15d72e1df1b5a0b858a8276c30b7c7d6ff7c5c8028577f9033c1de0aa2c5
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 557abf3bdc5e1b4c31fa4c16cb7a998475db0352c266ee35ae4fbd844e0422db
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5662F570609350AFEB24CB1DCC81B2EB7EAEFD5314F18862CF495972A1D371AC458B96
                                                                                                                                                                                                      Function 009A60B7 Relevance: 15.5, Strings: 12, Instructions: 458COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$T`Sf$Wdz$&$$qs$uVw
                                                                                                                                                                                                      • API String ID: 0-2419925205
                                                                                                                                                                                                      • Opcode ID: 7f03e2cf2ff76769e2eca3cb1bafa80f1ab81eb052e5b20bbb5ada621e185149
                                                                                                                                                                                                      • Instruction ID: f546a7f1fa24ca8745a0f5147fab4ea69b5ab54c7f25a8f35d1ca7c73ac32c7b
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7f03e2cf2ff76769e2eca3cb1bafa80f1ab81eb052e5b20bbb5ada621e185149
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E7422CB0905369CFDB64CF56D981BCDBBB1FB06300F1185E8C1996B262DB748A86CF85
                                                                                                                                                                                                      Function 00417405 Relevance: 15.1, APIs: 4, Strings: 4, Instructions: 1110COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 5&'d$H/}$O$~
                                                                                                                                                                                                      • API String ID: 0-3671818696
                                                                                                                                                                                                      • Opcode ID: 8b914b4801975b71dea4b75609ed348123c7e1e6468bc6ef1cacffb89bf502a6
                                                                                                                                                                                                      • Instruction ID: 7c8e188e2ff574dc84e1e58bec60109b2722ae2eee07efcef2931a8160e5a92b
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8b914b4801975b71dea4b75609ed348123c7e1e6468bc6ef1cacffb89bf502a6
                                                                                                                                                                                                      • Instruction Fuzzy Hash: AC820F7550C3518BC324CF28C8917ABB7E1FF99314F198A6EE4C99B391E7389941CB4A
                                                                                                                                                                                                      Function 00415720 Relevance: 13.0, Strings: 9, Instructions: 1798COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 9?4<$BYQZ$DASS$F2}0$H/}$L$NR@:$R(RW$a
                                                                                                                                                                                                      • API String ID: 0-1326139629
                                                                                                                                                                                                      • Opcode ID: 83579c757a543f9f659438346f364b36b2e078702eec510370abc902ff0d75f9
                                                                                                                                                                                                      • Instruction ID: 7f7427958d78b94ffc8c4a18595fe2cbb503adca6349e1c34573b0944bc9dd97
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 83579c757a543f9f659438346f364b36b2e078702eec510370abc902ff0d75f9
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 80C21675608350DFD7209F28D8957ABB7E2EFC6314F19892DE4C98B391EB389841CB46
                                                                                                                                                                                                      Function 004257E0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 295COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004258F4
                                                                                                                                                                                                      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0042595D
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                      • String ID: B"@$)RSP$=^"\$`J/H$rp
                                                                                                                                                                                                      • API String ID: 237503144-816972838
                                                                                                                                                                                                      • Opcode ID: bf1cafb989073c4553b17663fd8b05ca961829d4f2cee33832e91d81a2f5237f
                                                                                                                                                                                                      • Instruction ID: cd6e5e946c3164ee33c4da05371f075d598195140dbb1deecb8ac0c04a2143aa
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf1cafb989073c4553b17663fd8b05ca961829d4f2cee33832e91d81a2f5237f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9DA110B6E402188FDB10CFA8DC827EEBBB1FF85314F154169E414AB291D7B59942CB94
                                                                                                                                                                                                      Function 00427860 Relevance: 11.7, Strings: 9, Instructions: 409COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}$J+$JW$]_$bX_^$r}B$+5$/)$3=
                                                                                                                                                                                                      • API String ID: 0-3421305029
                                                                                                                                                                                                      • Opcode ID: 4f300e806615f3e46f25d2dfee94d4050b3e57adbeef3450ddc0df426ccfbfa4
                                                                                                                                                                                                      • Instruction ID: 44c300c69855992b2f16a9d4ad0dfeec6e614c77fc8171f72a5c7ce453eec0d9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f300e806615f3e46f25d2dfee94d4050b3e57adbeef3450ddc0df426ccfbfa4
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9FD1DEB461C340DFE7249F25E881B6BB7A2FBC6304F94892DF1858B391DB749805CB5A
                                                                                                                                                                                                      Function 0041C400 Relevance: 10.8, Strings: 8, Instructions: 842COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
                                                                                                                                                                                                      • API String ID: 0-102253164
                                                                                                                                                                                                      • Opcode ID: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
                                                                                                                                                                                                      • Instruction ID: 7c24634cc790d3dc5544db0222c0a2221dcce8583ae8b0beabc19f11c9a677e2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 923202B19402118BCB24CF24CC927A7B7B2FF95314F28829DD851AF395E779A842CBD5
                                                                                                                                                                                                      Function 0099C667 Relevance: 10.8, Strings: 8, Instructions: 842COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
                                                                                                                                                                                                      • API String ID: 0-102253164
                                                                                                                                                                                                      • Opcode ID: f96fe7a7a370e0a426616b44d01145cf498bc23b6eb0afd2ea812e4552abdc14
                                                                                                                                                                                                      • Instruction ID: ef718ab1868d2ae8cea6e81ea8fd15d23a75e13c12003d895c230e4d79ebe352
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f96fe7a7a370e0a426616b44d01145cf498bc23b6eb0afd2ea812e4552abdc14
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 853204F19002118BCB24CF29CC927B6B7B2FF95314F29829CD845AF795E775A802CB91
                                                                                                                                                                                                      Function 00988AE7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00988B0B
                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00988B15
                                                                                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00988BBC
                                                                                                                                                                                                      • GetForegroundWindow.USER32 ref: 00988BD1
                                                                                                                                                                                                      • ExitProcess.KERNEL32 ref: 00988D1E
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                                                                                                                                      • String ID: 6W01
                                                                                                                                                                                                      • API String ID: 4063528623-326071965
                                                                                                                                                                                                      • Opcode ID: bfbdd2f4eb40b0c99f42f083f1dd3dcee64ae0e50d961520efab8e0958816b30
                                                                                                                                                                                                      • Instruction ID: 3e15702c2c106a145a4883c3336d0dc38d7aec26a5f5b11135ce029b25e7e736
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bfbdd2f4eb40b0c99f42f083f1dd3dcee64ae0e50d961520efab8e0958816b30
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 01516A73A403040BD328BF648C46356BA8B9BC1310F1BC1399985AB3E6ED788C068795
                                                                                                                                                                                                      Function 00420D90 Relevance: 10.5, Strings: 8, Instructions: 470COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: "G3A$%K9U$2W<Q$<O)I$>C;M$>C;M"G3A$?S2]$?_%Y
                                                                                                                                                                                                      • API String ID: 0-2668584225
                                                                                                                                                                                                      • Opcode ID: d10a81d34372c35a96c2f8986c5506c0c6912e9abd80cece7959baf4c885c2f5
                                                                                                                                                                                                      • Instruction ID: 1eff8263789fd2a08f3fecf0f268f16acf59bb1ac0ae24da522a1f75b62227ff
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d10a81d34372c35a96c2f8986c5506c0c6912e9abd80cece7959baf4c885c2f5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 28E101756083108BC324CF64C89276BB7F1EFE6314F498A5DE4D69B3A4E3389905CB96
                                                                                                                                                                                                      Function 004186FC Relevance: 9.8, Strings: 7, Instructions: 1000COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: +$<$H)G+$H/}$NmNo$]a_c$tu
                                                                                                                                                                                                      • API String ID: 0-473133970
                                                                                                                                                                                                      • Opcode ID: 6d71389cbb69697272ef7968fa8146cab96ec6b278bf575547bf9789760e162a
                                                                                                                                                                                                      • Instruction ID: c7a3f77f71ded0b9311dc6516a729683f4fb7c759b6558f4b3eb03d829b5ec1a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d71389cbb69697272ef7968fa8146cab96ec6b278bf575547bf9789760e162a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 925216741093509FD724CF28C8917ABB7E1FF86314F184A6DE4D68B391DB38A845CB9A
                                                                                                                                                                                                      Function 0040D545 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 349COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                        • Part of subcall function 00436980: GetDC.USER32(00000000), ref: 00436989
                                                                                                                                                                                                        • Part of subcall function 00436980: GetSystemMetrics.USER32(0000004C), ref: 00436999
                                                                                                                                                                                                        • Part of subcall function 00436980: GetSystemMetrics.USER32(0000004D), ref: 004369A1
                                                                                                                                                                                                        • Part of subcall function 00436980: GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
                                                                                                                                                                                                        • Part of subcall function 00436980: GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
                                                                                                                                                                                                        • Part of subcall function 00436980: DeleteObject.GDI32(00000000), ref: 004369C1
                                                                                                                                                                                                        • Part of subcall function 00436980: CreateCompatibleDC.GDI32(00000000), ref: 004369D0
                                                                                                                                                                                                        • Part of subcall function 00436980: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
                                                                                                                                                                                                        • Part of subcall function 00436980: SelectObject.GDI32(00000000,00000000), ref: 004369E7
                                                                                                                                                                                                        • Part of subcall function 00436980: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A
                                                                                                                                                                                                      • CoUninitialize.OLE32 ref: 0040D555
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelectUninitialize
                                                                                                                                                                                                      • String ID: &W-Q$9Y$?C*]$|qay$~wxH
                                                                                                                                                                                                      • API String ID: 3213364925-1959178137
                                                                                                                                                                                                      • Opcode ID: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
                                                                                                                                                                                                      • Instruction ID: aef483f231ee1e61a479db6060b0077f9689b526eef662d52e770a901b229f69
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: EEB115756047818BE325CF2AC4D0762BBE2FF96300B18C5ADC4D64BB86D738A806CB95
                                                                                                                                                                                                      Function 0098D7AC Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 349COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                        • Part of subcall function 009B6BE7: GetDC.USER32(00000000), ref: 009B6BF0
                                                                                                                                                                                                        • Part of subcall function 009B6BE7: GetCurrentObject.GDI32(00000000,00000007), ref: 009B6C11
                                                                                                                                                                                                        • Part of subcall function 009B6BE7: GetObjectW.GDI32(00000000,00000018,?), ref: 009B6C21
                                                                                                                                                                                                        • Part of subcall function 009B6BE7: DeleteObject.GDI32(00000000), ref: 009B6C28
                                                                                                                                                                                                        • Part of subcall function 009B6BE7: CreateCompatibleDC.GDI32(00000000), ref: 009B6C37
                                                                                                                                                                                                        • Part of subcall function 009B6BE7: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009B6C42
                                                                                                                                                                                                        • Part of subcall function 009B6BE7: SelectObject.GDI32(00000000,00000000), ref: 009B6C4E
                                                                                                                                                                                                        • Part of subcall function 009B6BE7: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 009B6C71
                                                                                                                                                                                                      • CoUninitialize.COMBASE ref: 0098D7BC
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Object$CompatibleCreate$BitmapCurrentDeleteSelectUninitialize
                                                                                                                                                                                                      • String ID: &W-Q$9Y$?C*]$|qay$~wxH
                                                                                                                                                                                                      • API String ID: 3248263802-1959178137
                                                                                                                                                                                                      • Opcode ID: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
                                                                                                                                                                                                      • Instruction ID: eb150aa50ad1757e6413a1c07e8fa664419e236a6db04bc9957c1d9b66cbc410
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A0B115756057818BE725CF2AC4D0762BBE2FF96300B18C1ACC4D68BB86D739A846CB51
                                                                                                                                                                                                      Function 0043F150 Relevance: 8.0, Strings: 6, Instructions: 524COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                      • String ID: H/}$S"(w$S"(w$d5fg$d5fg$f
                                                                                                                                                                                                      • API String ID: 2994545307-3680220967
                                                                                                                                                                                                      • Opcode ID: deb92bf670ae709ad561b25b35214b4440f864299bd2f8ca6b994e53228b85f7
                                                                                                                                                                                                      • Instruction ID: d96f39f5747abd94facca9cdfd6dc8715fedad9b00cb7f1fec3a1bbed5632043
                                                                                                                                                                                                      • Opcode Fuzzy Hash: deb92bf670ae709ad561b25b35214b4440f864299bd2f8ca6b994e53228b85f7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E812C575A093519FC724CF18C880B2BB7E1AFC9314F18963EE8A4573A1D775DC098B9A
                                                                                                                                                                                                      Function 009BF3B7 Relevance: 8.0, Strings: 6, Instructions: 524COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}$S"(w$S"(w$d5fg$d5fg$f
                                                                                                                                                                                                      • API String ID: 0-3680220967
                                                                                                                                                                                                      • Opcode ID: 0d95f729ef3d477b1c9e30a1fac3cff8fc80ecb0f431d978f2f91dfa0851ceaa
                                                                                                                                                                                                      • Instruction ID: b9a1ea1fc039bc6c367662dbc36f4f518e827026e2dba9b56603f265c3928ce3
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0d95f729ef3d477b1c9e30a1fac3cff8fc80ecb0f431d978f2f91dfa0851ceaa
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FB12E231A093519FC324CF18CD90B6EBBE5AFC9324F18863CE8A5473A1D771AC058B92
                                                                                                                                                                                                      Function 0040AE30 Relevance: 7.8, Strings: 6, Instructions: 344COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 8)*6$8)*6$:33F$Ds$]f$}v
                                                                                                                                                                                                      • API String ID: 0-771823803
                                                                                                                                                                                                      • Opcode ID: 7a3e19719626faba5c99d689b52e2aeecc2c57281bd7adea87c94ef03e1a3679
                                                                                                                                                                                                      • Instruction ID: 415c6ff438417329eae15ed8e7d658c137838348542c9c9b1d71c747cb23f456
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7a3e19719626faba5c99d689b52e2aeecc2c57281bd7adea87c94ef03e1a3679
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 88B1F67520C3408BD324CF6884546AFBBE1EFD2304F18896DE8D56B391D779890ACB9E
                                                                                                                                                                                                      Function 0098B097 Relevance: 7.8, Strings: 6, Instructions: 344COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 8)*6$8)*6$:33F$Ds$]f$}v
                                                                                                                                                                                                      • API String ID: 0-771823803
                                                                                                                                                                                                      • Opcode ID: 50f1edfc2bafa0014d11b6723b84b375855532d8b2d3c37a471b1a8907bb870b
                                                                                                                                                                                                      • Instruction ID: dbd9cb95b4be7974b4aa85960e92e5b1b4992c15d4e1578ccb0c61632c3fba75
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 50f1edfc2bafa0014d11b6723b84b375855532d8b2d3c37a471b1a8907bb870b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 00B1347520C3908BD324DF6884516AFBBE5AFC2314F5C882CE9E54B362D379C90ACB46
                                                                                                                                                                                                      Function 00425AF0 Relevance: 7.8, Strings: 6, Instructions: 289COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: )RSP$=^"\$B:$C@$K3$bX_^
                                                                                                                                                                                                      • API String ID: 0-3030200349
                                                                                                                                                                                                      • Opcode ID: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
                                                                                                                                                                                                      • Instruction ID: 361e1606381cfafdf419846c5dd42b56ab67650ac9a68572a77bc4f7112e5621
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 77B120B6E002288FDB20CF68DC427DEBBB1FB85314F1981A9E418AB351D7785D468F91
                                                                                                                                                                                                      Function 00428437 Relevance: 6.7, Strings: 5, Instructions: 469COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: "#$H}}C$J'N!$LMR|$vu~r
                                                                                                                                                                                                      • API String ID: 0-1530353048
                                                                                                                                                                                                      • Opcode ID: 8f0a109eb01666b980d5d4ea6aa88c69ad077d8ae26429a0f6b9f90d2ad26799
                                                                                                                                                                                                      • Instruction ID: 7cb9c3f936be8fd3a75d1e4abfb2bd6291e29c03686ec294c1ddfd7f13708a2f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f0a109eb01666b980d5d4ea6aa88c69ad077d8ae26429a0f6b9f90d2ad26799
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0DE16CB5608351CFC7108F24A84126FB7E1AF96308F58487EE8C597342DB39DC05CB5A
                                                                                                                                                                                                      Function 004042B0 Relevance: 6.7, Strings: 5, Instructions: 464COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: )$)$IDAT$IEND$IHDR
                                                                                                                                                                                                      • API String ID: 0-3469842109
                                                                                                                                                                                                      • Opcode ID: f372f4cb5f00298efd3fc4362282583120594c95e814c0bcfa2cf688d961bdd6
                                                                                                                                                                                                      • Instruction ID: 257f26cc5f2a74aac9bf87ca9c2577b9cb81d69ed2dc1e03b5bd0bdbb9992778
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f372f4cb5f00298efd3fc4362282583120594c95e814c0bcfa2cf688d961bdd6
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C302E2B46083848FD704CF29D89176ABBE1EBC6304F14853EEA859B3D1D379D909CB96
                                                                                                                                                                                                      Function 00984517 Relevance: 6.7, Strings: 5, Instructions: 464COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: )$)$IDAT$IEND$IHDR
                                                                                                                                                                                                      • API String ID: 0-3469842109
                                                                                                                                                                                                      • Opcode ID: 6404abdd9532a83599bde1e91a6e17757f4bdc3d0c3ecb42acbc60988de959d0
                                                                                                                                                                                                      • Instruction ID: fab9e854b6e9ae8dda7a179e96aa9060bc3d2385d70eb0873426c35a248d9cc5
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6404abdd9532a83599bde1e91a6e17757f4bdc3d0c3ecb42acbc60988de959d0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3302F1746083858FD714DF28C891B6BBBE1EFC6300F14866EE9858B391D379D909CB96
                                                                                                                                                                                                      Function 004092A0 Relevance: 6.7, Strings: 5, Instructions: 452COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: !oW1$#"2.$C$P$RRP\
                                                                                                                                                                                                      • API String ID: 0-2182630447
                                                                                                                                                                                                      • Opcode ID: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
                                                                                                                                                                                                      • Instruction ID: 099b8e97d4c783248d299f08155666f1876e613e1bac2d45a50adfc1c6749069
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B8C1167221C3918BD3258F29D49076BBFE2AFD3304F18896DE4D44B3C6D679890AC796
                                                                                                                                                                                                      Function 00989507 Relevance: 6.7, Strings: 5, Instructions: 452COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: !oW1$#"2.$C$P$RRP\
                                                                                                                                                                                                      • API String ID: 0-2182630447
                                                                                                                                                                                                      • Opcode ID: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
                                                                                                                                                                                                      • Instruction ID: 4c17b0eed4cd5538a1ff82c570282ec173794899586028555a7e2dec7c32e3a5
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4BC1E47121C3924FD3258F29C49176BBFE2AFE3204F1C896DE4D58B386D679850AC792
                                                                                                                                                                                                      Function 00429FE4 Relevance: 6.7, Strings: 5, Instructions: 437COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: ,fbV$d~`}$lvhu$ooKv$sf
                                                                                                                                                                                                      • API String ID: 0-4157365443
                                                                                                                                                                                                      • Opcode ID: d0a6585cca3ad9a47c54e6056bc46f80964016baf11be8ce0a27bf085c007181
                                                                                                                                                                                                      • Instruction ID: aaedd27545ab9ed709b9694aed24c663919bae5b675873c34d327438eaef385a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d0a6585cca3ad9a47c54e6056bc46f80964016baf11be8ce0a27bf085c007181
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 14E139B15483518FD714CF24D8817ABB7E2AFD1304F48896DE9D587382E679E908C78B
                                                                                                                                                                                                      Function 009AA305 Relevance: 6.7, Strings: 5, Instructions: 407COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: ,fbV$d~`}$lvhu$ooKv$sf
                                                                                                                                                                                                      • API String ID: 0-4157365443
                                                                                                                                                                                                      • Opcode ID: ac8608a635378d5c383f0645017db4dbb6ad6197584878f05415f6d5cdf6d11e
                                                                                                                                                                                                      • Instruction ID: 3c0d4fb7f22a7d8879fb134d8937cc95428385313e66720216604afafb13e3eb
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ac8608a635378d5c383f0645017db4dbb6ad6197584878f05415f6d5cdf6d11e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C9D1F7B294C3414BD724CF18C8917ABB7E2AFD5314F08892CE5D58B352E779DA09CB86
                                                                                                                                                                                                      Function 00409790 Relevance: 5.4, Strings: 4, Instructions: 415COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: *+$kh$nz${u
                                                                                                                                                                                                      • API String ID: 0-424779605
                                                                                                                                                                                                      • Opcode ID: 0a6dafd6ef2ba7b0d43a2a51019282152f096bc3ad18055503bec8102e7ee30b
                                                                                                                                                                                                      • Instruction ID: 1b29a9faac5300f3ffc5f62fe3d46617b85d137f0c3ce0abae63967b27c05819
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0a6dafd6ef2ba7b0d43a2a51019282152f096bc3ad18055503bec8102e7ee30b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2AD103716087508BD724DF35C851BABBBE2EFC1318F18896DE4D59B392D638C809CB46
                                                                                                                                                                                                      Function 009899F7 Relevance: 5.4, Strings: 4, Instructions: 415COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: *+$kh$nz${u
                                                                                                                                                                                                      • API String ID: 0-424779605
                                                                                                                                                                                                      • Opcode ID: 2082c0a74a3eb7ff3a029c135b348d841f3ea5b4eda3e8b99a1f11572f93b6ec
                                                                                                                                                                                                      • Instruction ID: 042ae4551b70e8bd413aee738497b354c5d2b0d2be478015a62cf17a0ac54195
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2082c0a74a3eb7ff3a029c135b348d841f3ea5b4eda3e8b99a1f11572f93b6ec
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1D1F3716087508BD724DF38C895BABBBE6EFD1318F18896DE4D68B392D634C409CB46
                                                                                                                                                                                                      Function 0042FCBC Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: BVAI$_Pna$mc$t
                                                                                                                                                                                                      • API String ID: 0-1770441902
                                                                                                                                                                                                      • Opcode ID: a6be79c1421af0b4b0c922728e2635db4fbde982ee4162c8bdd7ea1edf433783
                                                                                                                                                                                                      • Instruction ID: 048c6723a0782cba0ed5f5bfde42b0dc355c8231af3653691a455654dcaa2d5e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a6be79c1421af0b4b0c922728e2635db4fbde982ee4162c8bdd7ea1edf433783
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03A1C37050C3D18AE739CF2594103ABBBE1AFD7304F58897ED0D997382DB79814A8B5A
                                                                                                                                                                                                      Function 0042EA62 Relevance: 5.3, Strings: 4, Instructions: 331COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 0$8<j?$D$4b
                                                                                                                                                                                                      • API String ID: 0-1320392364
                                                                                                                                                                                                      • Opcode ID: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
                                                                                                                                                                                                      • Instruction ID: 2b7b52935a6d5b5a4047c1575b3543403dadbc3efec4758ce9a79863674c7261
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9F91F66030C3918BD718CF3A946136BBBD19FD6314F69896EE4D68B391D23CC406871A
                                                                                                                                                                                                      Function 009AECC9 Relevance: 5.3, Strings: 4, Instructions: 331COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 0$8<j?$D$4b
                                                                                                                                                                                                      • API String ID: 0-1320392364
                                                                                                                                                                                                      • Opcode ID: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
                                                                                                                                                                                                      • Instruction ID: 0fb2447a4631275761fed59910cb7e79d5d7f4120d2b3f72a2d60c50851bdc94
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4E91E56120C3818BD718CF3989A137AFBD1DFD6318F28896DE4D68B291D27DC50ACB56
                                                                                                                                                                                                      Function 0042A9F7 Relevance: 5.3, Strings: 4, Instructions: 328COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: v$v$bt$zi
                                                                                                                                                                                                      • API String ID: 0-1945541540
                                                                                                                                                                                                      • Opcode ID: 295c829244e78f24e812d08f7068f6e887247ac70f2c98393ecae3702f4aeb52
                                                                                                                                                                                                      • Instruction ID: bba7ce1cbd9d7b5964ace128991244c7d88d52c60c2cfa081a52f8c92ce1e01e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 295c829244e78f24e812d08f7068f6e887247ac70f2c98393ecae3702f4aeb52
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48D1687260C3558FD725CF28D45069FFBE6EBC4304F06892DE8A99B281D774D60ACB86
                                                                                                                                                                                                      Function 0041BBA0 Relevance: 5.3, Strings: 4, Instructions: 325COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 'P0V$,D,J$9HiN$WT
                                                                                                                                                                                                      • API String ID: 0-3770969982
                                                                                                                                                                                                      • Opcode ID: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
                                                                                                                                                                                                      • Instruction ID: 1a2b24427ca50ea0613cce179253f9256e84f06a3d156f412d4f3691be65671a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 72B123B664D3549BD304CF62D8802AFBBE2FBC1314F098D2DE1C897341D779884A8B86
                                                                                                                                                                                                      Function 00442D20 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                      • String ID: D`a&$H/}$NMNO$bX_^
                                                                                                                                                                                                      • API String ID: 2994545307-2330839445
                                                                                                                                                                                                      • Opcode ID: d05b069c2774e5dca8c6c82d0cc5445501065ceaccfd0e13c7886a15adc59c0e
                                                                                                                                                                                                      • Instruction ID: 6e9e5fc7c2cb7ec0ed59593f00f51acd5d9bbc11244cb29e2d173750d6d6eb6d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d05b069c2774e5dca8c6c82d0cc5445501065ceaccfd0e13c7886a15adc59c0e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 558167312083014FE318DF24DC8166BB7A2EBC5328F69862DE5A54B391DB79ED0AC759
                                                                                                                                                                                                      Function 0041825B Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: )$7$H/}$gfff
                                                                                                                                                                                                      • API String ID: 0-829814228
                                                                                                                                                                                                      • Opcode ID: efcf1df4711dd3b4980222b1e3f150a22642c4af62dee3075cfc2de176e6feb6
                                                                                                                                                                                                      • Instruction ID: 9f03ba7914f0360cb7709cea8ad3b28f347f0d2189de7c473bd193f5a0b7fd0c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: efcf1df4711dd3b4980222b1e3f150a22642c4af62dee3075cfc2de176e6feb6
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D4812572A142118BD324CF28DC417AB77E2EBC8314F18C92ED985DB395EB3CD8468785
                                                                                                                                                                                                      Function 009984C2 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: )$7$H/}$gfff
                                                                                                                                                                                                      • API String ID: 0-829814228
                                                                                                                                                                                                      • Opcode ID: 60e49d7894c15ae3aa33853dce523991c204049145f125d3a07e5eda309779ae
                                                                                                                                                                                                      • Instruction ID: 9fca7df2863dc8400f426e7712629b1ceff3cddb36bf30ede7fa82d0ef89a20f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60e49d7894c15ae3aa33853dce523991c204049145f125d3a07e5eda309779ae
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 22813672A142518BD724CF2CCC41BAB77D6EBC5314F19C92DE486DB395EB38D90A8781
                                                                                                                                                                                                      Function 009A73B2 Relevance: 5.2, Strings: 4, Instructions: 205COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: FOOE$KGFU$KGFU$UUQg
                                                                                                                                                                                                      • API String ID: 0-60738199
                                                                                                                                                                                                      • Opcode ID: 6cf9c5cec0f80acf9d2adc729e7b0a961c5be7fa5a2f2669f24e8ed63becf1bb
                                                                                                                                                                                                      • Instruction ID: c15abcdbcf822ffcd9701b77790da26155331aaf7f3053c4d1d0e8690a971bed
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6cf9c5cec0f80acf9d2adc729e7b0a961c5be7fa5a2f2669f24e8ed63becf1bb
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 16518172D492528FDB10CBE8CC421A9FBA6EF56310B1E4665D8558B3D1D338ED01D7D1
                                                                                                                                                                                                      Function 009A5D57 Relevance: 5.1, Strings: 4, Instructions: 132COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: B:$C@$K3$bX_^
                                                                                                                                                                                                      • API String ID: 0-595269213
                                                                                                                                                                                                      • Opcode ID: 0d06cbe45fa1c6c57b514cd4ae27e395b8e4d2b4ab09be3f8917ba205efd2598
                                                                                                                                                                                                      • Instruction ID: 949b9b916c5409aa388664d71cdc13b7e617ec99da1ddaecf7fbd9290a7cb841
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0d06cbe45fa1c6c57b514cd4ae27e395b8e4d2b4ab09be3f8917ba205efd2598
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D541E1B5D102289FCB20DF79CD427DEBFB1AB85300F4441AAE448A7355D6340E498FD2
                                                                                                                                                                                                      Function 00414C20 Relevance: 4.7, Strings: 3, Instructions: 989COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}$NP,?$UA
                                                                                                                                                                                                      • API String ID: 0-3240057598
                                                                                                                                                                                                      • Opcode ID: 813f516fed63c72ca3bf17ef7764154db6e20e3e50629bbb0b438f72444d9df9
                                                                                                                                                                                                      • Instruction ID: 7e2827b50fa6ca7fd58d98589243822aea337e03717d5c259c09a672e0419966
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 813f516fed63c72ca3bf17ef7764154db6e20e3e50629bbb0b438f72444d9df9
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1F522475608310DBD714DF28DC82BAB73A2EBC6314F58463DF995872E1E738A846C789
                                                                                                                                                                                                      Function 00421E70 Relevance: 4.2, Strings: 3, Instructions: 435COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: (ijkdefgau`c$au`c$defgau`c
                                                                                                                                                                                                      • API String ID: 0-3415814675
                                                                                                                                                                                                      • Opcode ID: c3efea4fa2bab3c823527f8003c6373997cd92d148a9c0371e5379c7b59358e5
                                                                                                                                                                                                      • Instruction ID: e077c08026441789f2384525beb931856e433a8fb10ce9bf48ff95afe867dbef
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c3efea4fa2bab3c823527f8003c6373997cd92d148a9c0371e5379c7b59358e5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E8D10FB16083509FC714DF28C891B6BBBE1EFC5318F18892DE9858B391E7B9D805CB56
                                                                                                                                                                                                      Function 009A20D7 Relevance: 4.2, Strings: 3, Instructions: 435COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: (ijkdefgau`c$au`c$defgau`c
                                                                                                                                                                                                      • API String ID: 0-3415814675
                                                                                                                                                                                                      • Opcode ID: 9e8d5e03b0b2b75bc4d5eda427d96198f973e9ec1b0f4896e10352321ad71037
                                                                                                                                                                                                      • Instruction ID: e87c81747c8ce2e6ccc52f7d436bad2c6559f83af2814ff545bb47726f75b103
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e8d5e03b0b2b75bc4d5eda427d96198f973e9ec1b0f4896e10352321ad71037
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4DD1AEB16183408BD714DF68C891B6BBBE5FFC6318F14892CE9868B391E775D805CB92
                                                                                                                                                                                                      Function 00434CEF Relevance: 4.2, Strings: 3, Instructions: 429COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: $$.$K
                                                                                                                                                                                                      • API String ID: 0-4278605028
                                                                                                                                                                                                      • Opcode ID: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
                                                                                                                                                                                                      • Instruction ID: 6a15d43e6d9dc7541644536baa1fca88b34eed3a23bb6af0385b7f8a4183f52c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 69029E71614BC08BE3158F3DC891392BFE2AB56304F1CC9AED4DACB787C229E5458B65
                                                                                                                                                                                                      Function 0042B170 Relevance: 4.2, Strings: 3, Instructions: 428COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}${wBy$?;;
                                                                                                                                                                                                      • API String ID: 0-649230281
                                                                                                                                                                                                      • Opcode ID: 0391eef4f66e27ec324ee0bdb208b3ba8a61a3bb00443cccaa8d3f35c85cd4d0
                                                                                                                                                                                                      • Instruction ID: c7db1f9763108cdebf81104c4566820d91597438b4a38115d6d9003e34c696d3
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0391eef4f66e27ec324ee0bdb208b3ba8a61a3bb00443cccaa8d3f35c85cd4d0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1AF1F1B4A08350DFD3159F28E89172BB7E1EF86308F484A6DF4D5872A2D3399901DB5A
                                                                                                                                                                                                      Function 0042EB5F Relevance: 4.1, Strings: 3, Instructions: 313COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 8<j?$D$4b
                                                                                                                                                                                                      • API String ID: 0-2390459867
                                                                                                                                                                                                      • Opcode ID: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
                                                                                                                                                                                                      • Instruction ID: 3d775767d977819f4cd04dfa65fb75d6d4b79ad1faca8718d285b39be461a68a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1781F86020C3928BD719CF3A946137BBFD19FD6314F69896EE4D68B381D27DC406871A
                                                                                                                                                                                                      Function 0042EBB3 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 8<j?$D$4b
                                                                                                                                                                                                      • API String ID: 0-2390459867
                                                                                                                                                                                                      • Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
                                                                                                                                                                                                      • Instruction ID: e8062cfa3f92b269e517a95a0a15263ae71e3fa69566e020a52e9e5137cfccfc
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7281F86030C3928BD718CF3A946136BBBD19FD6314F69896EE4D68B381D27DC406875A
                                                                                                                                                                                                      Function 009AEDC6 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 8<j?$D$4b
                                                                                                                                                                                                      • API String ID: 0-2390459867
                                                                                                                                                                                                      • Opcode ID: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
                                                                                                                                                                                                      • Instruction ID: 3942173354f091e61f961a6f3f86b4aa73c1f7e1d74121c4c0b70488687daa1f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5A81E76120C3818BD719CF3989A137AFFD19FD7318F28896DE4D68B281D279C50ACB56
                                                                                                                                                                                                      Function 009AEE1A Relevance: 4.1, Strings: 3, Instructions: 313COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 8<j?$D$4b
                                                                                                                                                                                                      • API String ID: 0-2390459867
                                                                                                                                                                                                      • Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
                                                                                                                                                                                                      • Instruction ID: 7342b82c36648f8e652d9004749b7021df28fa9ee64c9fd1f9ac5d2da115ec86
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1281D66120C3818BD719CF3985A137AFBD1DFD7318F28896DE4D68B281D279C90ACB56
                                                                                                                                                                                                      Function 00408F90 Relevance: 4.1, Strings: 3, Instructions: 304COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: #=0$Z$ut
                                                                                                                                                                                                      • API String ID: 0-1971374411
                                                                                                                                                                                                      • Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
                                                                                                                                                                                                      • Instruction ID: eba545bab416a68370d8833e2e81319f1cd74d48ef4740c2d23370f5f56f4d51
                                                                                                                                                                                                      • Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4681E23120C7829AD7058F39845026BBFE1AFA7314F1889AED4D1AB3C7D639C90AC756
                                                                                                                                                                                                      Function 009891F7 Relevance: 4.1, Strings: 3, Instructions: 304COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: #=0$Z$ut
                                                                                                                                                                                                      • API String ID: 0-1971374411
                                                                                                                                                                                                      • Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
                                                                                                                                                                                                      • Instruction ID: 92aefb7ce7ddfae76b43b31d2419469fe12ff2f44f3bba10b9373ba5a2b830b0
                                                                                                                                                                                                      • Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1781E23110C3928ED7058F39C45067AFFE5AFA3318F2C99ADD4D29B792D629C50AC752
                                                                                                                                                                                                      Function 0042EBA1 Relevance: 4.0, Strings: 3, Instructions: 290COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 8<j?$D$4b
                                                                                                                                                                                                      • API String ID: 0-2390459867
                                                                                                                                                                                                      • Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
                                                                                                                                                                                                      • Instruction ID: b31d7765b50fe5da72acd4eceaa3461b1016088ded1e177ce8b27f3ca53c8b68
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7E81E8602083918BD719CF3A946136BFFD29FE6314F6D496EE4D18B381D23CC5068B5A
                                                                                                                                                                                                      Function 009AEE08 Relevance: 4.0, Strings: 3, Instructions: 290COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 8<j?$D$4b
                                                                                                                                                                                                      • API String ID: 0-2390459867
                                                                                                                                                                                                      • Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
                                                                                                                                                                                                      • Instruction ID: 6879cab954f43f8b311a32f821e8632ab93adaa85f1703f9cd33d0260c311356
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4A81D76120C3818BD719CF3989A137AFFD29FE7354F2C896DE4D18B281D279C50A8B56
                                                                                                                                                                                                      Function 00427133 Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: FOOE$KGFU$UUQg
                                                                                                                                                                                                      • API String ID: 0-2281124432
                                                                                                                                                                                                      • Opcode ID: aa3e6234d37e5ff48adc82abd2c06de17444a92e0354e9c2c603a59569284f89
                                                                                                                                                                                                      • Instruction ID: e3d0f05a3102c402a5be3d16b6d50dde008b8d5973f854c9b7a8b98ef3316d4d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: aa3e6234d37e5ff48adc82abd2c06de17444a92e0354e9c2c603a59569284f89
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9A619D72B49262CFD710CBA4D8402AAF7A2EF55310B5D42ABD8558B382E33CDD12D3A5
                                                                                                                                                                                                      Function 0041AF24 Relevance: 3.9, Strings: 3, Instructions: 196COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 5230$I`af$t]ae
                                                                                                                                                                                                      • API String ID: 0-812676372
                                                                                                                                                                                                      • Opcode ID: 69b55e9c59f984ca031ddda7f553905b2866cdbf307ebf2f1898f1c112d00d2e
                                                                                                                                                                                                      • Instruction ID: cc3bff843b66776ddd05c04f0bda8cfb631fd3a3b5e3538274f97fe5caba7e22
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 69b55e9c59f984ca031ddda7f553905b2866cdbf307ebf2f1898f1c112d00d2e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D7515972A15B804FD738CF66C891767BBE3ABA5304F19896DC1C287695DABCA405C704
                                                                                                                                                                                                      Function 0099B18B Relevance: 3.9, Strings: 3, Instructions: 196COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 5230$I`af$t]ae
                                                                                                                                                                                                      • API String ID: 0-812676372
                                                                                                                                                                                                      • Opcode ID: 99ad52d241a312d1886458a9d982083b732080c3046440976dde46d31c833c5f
                                                                                                                                                                                                      • Instruction ID: 082b62abd9ad20085e2ad7c06c4b800bd151df6ecc0c3bf10131d48a3930177d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 99ad52d241a312d1886458a9d982083b732080c3046440976dde46d31c833c5f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F2515972A15B808FD738CF65C991B67BBE3BBA1304F1C896DC1C2C7695DAB8A405C700
                                                                                                                                                                                                      Function 0041DAD0 Relevance: 3.9, Strings: 3, Instructions: 156COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 1$5230$A
                                                                                                                                                                                                      • API String ID: 0-2921844354
                                                                                                                                                                                                      • Opcode ID: 2f0b92b3633f1c98435bd7295618cc795514d651c00833ac90ced833c2e04a77
                                                                                                                                                                                                      • Instruction ID: e76a71f95e24524307293e01d01a6f58a23ad2f1a40c0433447d02162c8ae966
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2f0b92b3633f1c98435bd7295618cc795514d651c00833ac90ced833c2e04a77
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F8416972A5C3405AE324AE65CC827ABB6D3EBD1324F18C93EF1D9472C5E9F848428316
                                                                                                                                                                                                      Function 0099DD37 Relevance: 3.9, Strings: 3, Instructions: 156COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 1$5230$A
                                                                                                                                                                                                      • API String ID: 0-2921844354
                                                                                                                                                                                                      • Opcode ID: c88d49dccca9c115cac4552a1e1a4679eb3bb04cb6d09c4ebc94843ec1f1dc21
                                                                                                                                                                                                      • Instruction ID: 2eb611ffaece8210422b72e9b93e1e15215f60e097a8137a9a37d2a5efcded9f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c88d49dccca9c115cac4552a1e1a4679eb3bb04cb6d09c4ebc94843ec1f1dc21
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 01417B36A5D3405AE7249E79CC8276BB6E3EBD2324F1CC93DF1D9872C5E5B944028316
                                                                                                                                                                                                      Function 0098092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: .$GetProcAddress.$l
                                                                                                                                                                                                      • API String ID: 0-2784972518
                                                                                                                                                                                                      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                      • Instruction ID: 3d54cbb3170d3150e33d71cd1f1189c548c87d6e6dcec4c39435f9439b8a5298
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5C318DB6900609CFDB10DF99C880AADBBF9FF48324F15404AD841A7311D771EA49CBA4
                                                                                                                                                                                                      Function 0041F6D0 Relevance: 3.3, Strings: 2, Instructions: 817COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 9B$B
                                                                                                                                                                                                      • API String ID: 0-4208784936
                                                                                                                                                                                                      • Opcode ID: 986acf23185ab1b50e6ad9565e7f762b14932ce870d5dbc259a2a73c0999a18c
                                                                                                                                                                                                      • Instruction ID: b8962ee0846928653caa32ab1d9872d6313577c24d17d84896ac92dc99d0ed25
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 986acf23185ab1b50e6ad9565e7f762b14932ce870d5dbc259a2a73c0999a18c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: EF72B1B1619F808ED329CF3C8805397BFD6AB5A324F188B5EA0FA877D2C77561018756
                                                                                                                                                                                                      Function 00422380 Relevance: 2.9, Strings: 2, Instructions: 396COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: :;$H/}
                                                                                                                                                                                                      • API String ID: 0-2946751746
                                                                                                                                                                                                      • Opcode ID: 303de10fff242c4ff705677ea5eca08dca5e362961479335f7d5ab6b711b2e43
                                                                                                                                                                                                      • Instruction ID: a8ce0ab78c4be7f089376efb71ad2075c1d737e56b9c5b96f1916c659004ebff
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 303de10fff242c4ff705677ea5eca08dca5e362961479335f7d5ab6b711b2e43
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FCA11972605320ABD7109F24ED8276B73E0EF85358F88852EF8959B391E3BCDD05875A
                                                                                                                                                                                                      Function 009A25E7 Relevance: 2.9, Strings: 2, Instructions: 396COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: :;$H/}
                                                                                                                                                                                                      • API String ID: 0-2946751746
                                                                                                                                                                                                      • Opcode ID: 7fda9392dab92b0c76c3cf4899473e7ebc01ceaa019578965055405904a6ce5a
                                                                                                                                                                                                      • Instruction ID: 84fe35fe7a7c7e5dc19c6bbc70ec2d6886c05a6ecc0ce4a588ca686093ec90c4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7fda9392dab92b0c76c3cf4899473e7ebc01ceaa019578965055405904a6ce5a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 55A11771A053109BD710AF2CCC8276BB3E5EF82724F18852CF8958B281E379ED45C7A2
                                                                                                                                                                                                      Function 0043C5A0 Relevance: 2.9, Strings: 2, Instructions: 385COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}$NP,?
                                                                                                                                                                                                      • API String ID: 0-3178405810
                                                                                                                                                                                                      • Opcode ID: 4292c81706fc5104aea80fe8ef179a1662a25d3dca60aede90bca8e2f2b4382c
                                                                                                                                                                                                      • Instruction ID: f65ccde577a60585fc50111e68a200c88a0f1f1b3df19762a23bd62bb81c5e5c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4292c81706fc5104aea80fe8ef179a1662a25d3dca60aede90bca8e2f2b4382c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5DA18E75A083209BD324DF19CCC173BB3A6EBC9324F19962EE995673D1D738AC018799
                                                                                                                                                                                                      Function 009BC807 Relevance: 2.9, Strings: 2, Instructions: 385COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}$NP,?
                                                                                                                                                                                                      • API String ID: 0-3178405810
                                                                                                                                                                                                      • Opcode ID: 9a5fae3dd16c561d9c5a6a93a9271e2a35235290781d04eedd2e3e01a9d132d7
                                                                                                                                                                                                      • Instruction ID: 774793c1a34efb0940a38466d9f9e6eee7826a9176e77b874f800f87a408ee91
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9a5fae3dd16c561d9c5a6a93a9271e2a35235290781d04eedd2e3e01a9d132d7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1CA126B1A043249BD724CF28C982BBFB7AAABC5734F18863CF59857291D730AC01C795
                                                                                                                                                                                                      Function 00431E8E Relevance: 2.9, Strings: 2, Instructions: 383COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: nz$nz
                                                                                                                                                                                                      • API String ID: 0-4002586851
                                                                                                                                                                                                      • Opcode ID: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
                                                                                                                                                                                                      • Instruction ID: a3c1cfee1f99e453375e064e447a228442ae2f14524e15aa7be5cf63e3ec65e5
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
                                                                                                                                                                                                      • Instruction Fuzzy Hash: ACE11872608B808FD315CA3CC891396FFE2AFDA314F1D866DC5EA8B392D675A406C715
                                                                                                                                                                                                      Function 009B20F5 Relevance: 2.9, Strings: 2, Instructions: 383COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: nz$nz
                                                                                                                                                                                                      • API String ID: 0-4002586851
                                                                                                                                                                                                      • Opcode ID: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
                                                                                                                                                                                                      • Instruction ID: 63a8b0f9881c15ff2f26aad59e9195eebe891523274092fdb2a283c2c9770bdb
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2BE11C72608B818FD315CB3CC891396BFE2AFDA324F1D866DC5EA8B392D6759406C711
                                                                                                                                                                                                      Function 00442470 Relevance: 2.8, Strings: 2, Instructions: 294COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                      • String ID: H/}$_\]R
                                                                                                                                                                                                      • API String ID: 2994545307-1508508542
                                                                                                                                                                                                      • Opcode ID: 40b2a5fcce8fbd99e35ebddbeea2a32485a095c58c85b1bcf33869944168392c
                                                                                                                                                                                                      • Instruction ID: 67d2bc21efa779ec1b2302c596d4d55850990720b38256b1c81cc65d81c9891d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 40b2a5fcce8fbd99e35ebddbeea2a32485a095c58c85b1bcf33869944168392c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 729114315083119BD718DF28D9A0A2FB7E2EFD9314F59862DF48697391E774E802C78A
                                                                                                                                                                                                      Function 009C26D7 Relevance: 2.8, Strings: 2, Instructions: 294COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}$_\]R
                                                                                                                                                                                                      • API String ID: 0-1508508542
                                                                                                                                                                                                      • Opcode ID: ded7eeee8ad350a6afe0009bc7ce961d3544678ba9de2a86e57f9a76fab24472
                                                                                                                                                                                                      • Instruction ID: 78a70b10942b84d4121ef4dc32fbe45a611b14f17d3cc2ccbf28f7c1bca4ecee
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ded7eeee8ad350a6afe0009bc7ce961d3544678ba9de2a86e57f9a76fab24472
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 409117319083519BCB18DF28C890B6FB7E6EFD9324F19852CE4C597291E731A905C787
                                                                                                                                                                                                      Function 00427490 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: o~$yr
                                                                                                                                                                                                      • API String ID: 0-1013308823
                                                                                                                                                                                                      • Opcode ID: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
                                                                                                                                                                                                      • Instruction ID: 9949b5826033667454bdd212c251d03fc0b1eef30724b4879d74d6325ed2a79f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48913975A0C3208BD320DF19D84066BBBE2EFD5324F09892DE9D95B391E7B8C905C786
                                                                                                                                                                                                      Function 009A76F7 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: o~$yr
                                                                                                                                                                                                      • API String ID: 0-1013308823
                                                                                                                                                                                                      • Opcode ID: f353fb7c42ac297e1fe1c84090b810e7596e2eb7232e841eeaea4071bc621b13
                                                                                                                                                                                                      • Instruction ID: aa78208b5edbc7c0d07ef88f6619c4efcf03f1f049fc9658d689f067ef2fcfc2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f353fb7c42ac297e1fe1c84090b810e7596e2eb7232e841eeaea4071bc621b13
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C691027690C3508BD320DF58C885A6BFBE6EFD2314F09892CE9D94B391E7B48905C786
                                                                                                                                                                                                      Function 00427F30 Relevance: 2.8, Strings: 2, Instructions: 280COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                      • String ID: H/}$
                                                                                                                                                                                                      • API String ID: 2994545307-2347156884
                                                                                                                                                                                                      • Opcode ID: 862311005c7391fdfde23addbd4ed3329e2a257a31929c347f63ca686a793f95
                                                                                                                                                                                                      • Instruction ID: 7661637dc5d8e8a5c488f056d59cc6aa38c937314abadac712079a8ab4c4f304
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 862311005c7391fdfde23addbd4ed3329e2a257a31929c347f63ca686a793f95
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 308157717093209BD7149B25AC92B3F73A1EF81314F59862EE985573C1EB3C9C1A839A
                                                                                                                                                                                                      Function 009A8197 Relevance: 2.8, Strings: 2, Instructions: 280COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}$
                                                                                                                                                                                                      • API String ID: 0-2347156884
                                                                                                                                                                                                      • Opcode ID: e0b172cd705df7923fbf2ed4e27c4b33ed5b0099bb5f0496611bea36cd42384f
                                                                                                                                                                                                      • Instruction ID: 3aca2a201085bed84964db5b3c9bd652ebbbe6506adeec4fffb7b2abaf0f1422
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e0b172cd705df7923fbf2ed4e27c4b33ed5b0099bb5f0496611bea36cd42384f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8813B71A083109BDB149B648C96B3F73EAEFC2724F18863CE8954B291EF799C0587D5
                                                                                                                                                                                                      Function 004427B0 Relevance: 2.7, Strings: 2, Instructions: 247COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: =^"\$H/}
                                                                                                                                                                                                      • API String ID: 0-3539360805
                                                                                                                                                                                                      • Opcode ID: 30c79af13426789e40e09411e713427a5fad7c453bf973c8dd38d9b25f6a572f
                                                                                                                                                                                                      • Instruction ID: 31f6d952e69ddc92c57c3d15082e8394249c76af6de0d574896d183d93ceef01
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 30c79af13426789e40e09411e713427a5fad7c453bf973c8dd38d9b25f6a572f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4281DE383052019BE724DF1CD990A2BB3E2EF89314F54866DF9858B3A0DB35EC51CB0A
                                                                                                                                                                                                      Function 00428280 Relevance: 2.6, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: :7$%$:7$%
                                                                                                                                                                                                      • API String ID: 0-2391988857
                                                                                                                                                                                                      • Opcode ID: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
                                                                                                                                                                                                      • Instruction ID: 0de6392d9aeb990522659998ecc2397938767f988235b0ae13ec08bed24327b9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BA21F1701093908BD7089B69C865B6FFBE4AB86318F105A2DE1D2872D1DBB48809CB82
                                                                                                                                                                                                      Function 009A84E7 Relevance: 2.6, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: :7$%$:7$%
                                                                                                                                                                                                      • API String ID: 0-2391988857
                                                                                                                                                                                                      • Opcode ID: f03a1582adfb2917490f5b92725fb54028286632f3ed6b7bc30f9f8cb79f3731
                                                                                                                                                                                                      • Instruction ID: 91dfa92e790bb6b89a4b0dfa8a8795ed12c6d8122ed19edf40073969ea1be8e8
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f03a1582adfb2917490f5b92725fb54028286632f3ed6b7bc30f9f8cb79f3731
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2521A1715083908BD7089B69C965B6FFBE5ABD6318F145A2CE1D287291DBB48405CB82
                                                                                                                                                                                                      Function 00996D15 Relevance: 2.6, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}$
                                                                                                                                                                                                      • API String ID: 0-2347156884
                                                                                                                                                                                                      • Opcode ID: 59ebb6f1c1a99dc460b157ce1b0bc87d6a21890c15c4f19892189c2b52108220
                                                                                                                                                                                                      • Instruction ID: f0a7f9345dae318bad1a03b8566e097c6f9be5f45413eb52e5b5632344ac05c4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 59ebb6f1c1a99dc460b157ce1b0bc87d6a21890c15c4f19892189c2b52108220
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E11C871718240AFD7648F28CD8677B73EAABD2324F28863CD1A4971D1DB74D8418B05
                                                                                                                                                                                                      Function 0098AC99 Relevance: 2.6, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: MO$MO
                                                                                                                                                                                                      • API String ID: 0-3148518880
                                                                                                                                                                                                      • Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
                                                                                                                                                                                                      • Instruction ID: 598674e23a29b8c7d0ffbe4a5cea036bb171a9683f53901e5f119ee8645c7fdc
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6611A9B41442818BEF148FA8DE92667BFA0EF42320F2499D9DC855F38BC638C502CF65
                                                                                                                                                                                                      Function 0044042D Relevance: 2.5, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 7&'$$vA\
                                                                                                                                                                                                      • API String ID: 0-2621209329
                                                                                                                                                                                                      • Opcode ID: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
                                                                                                                                                                                                      • Instruction ID: 095e66cfb836127910944c44464487434cf5069dbd9256ca3ed79a62a3e9a21d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02F09C745145544BEB918F7C98996BF67F0F713214F302BB5C65AE32A2C634C8914F0C
                                                                                                                                                                                                      Function 009C0694 Relevance: 2.5, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 7&'$$vA\
                                                                                                                                                                                                      • API String ID: 0-2621209329
                                                                                                                                                                                                      • Opcode ID: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
                                                                                                                                                                                                      • Instruction ID: 4b7dd0bae2fc82fe3ae0144328c9199f6050320c50ff004835d2b58da73bc34f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7BF09C349145948BEB918F3C9C997BE67F0F753214F302BB9C65AE32A2C631C9918F09
                                                                                                                                                                                                      Function 0041194F Relevance: 2.2, APIs: 1, Instructions: 666COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • RtlExpandEnvironmentStrings.NTDLL ref: 00411D64
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 237503144-0
                                                                                                                                                                                                      • Opcode ID: 7cd814f07503108b401f8375ab37499eb4f108dc70f145f49585bda23ac5c5ec
                                                                                                                                                                                                      • Instruction ID: a8cfc5bf14821c73dd49e5f1522f5c4ec20a02328b59693b871348f0b0df5eb8
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7cd814f07503108b401f8375ab37499eb4f108dc70f145f49585bda23ac5c5ec
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E4420A71A04B408FD714DF38D9813A6BBE1AF95314F188A3ED5EB8B3D2D639A446C706
                                                                                                                                                                                                      Function 0043CD27 Relevance: 2.0, Strings: 1, Instructions: 747COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: /p
                                                                                                                                                                                                      • API String ID: 0-62938030
                                                                                                                                                                                                      • Opcode ID: f05dc9b10545ef86860d8fcbb8867fd065d1046c62c590d4d0da79f29562f858
                                                                                                                                                                                                      • Instruction ID: ba8b9978e2f20e60afdbbdaba48a15688935c3ff76d45a9363d37c1b9ca99bef
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f05dc9b10545ef86860d8fcbb8867fd065d1046c62c590d4d0da79f29562f858
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7C32003AA18351CBD7049F39D81226BB7E1FF9A320F19887ED8C183291E779C955C786
                                                                                                                                                                                                      Function 00997AE4 Relevance: 1.8, APIs: 1, Instructions: 334COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 00997E61
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 237503144-0
                                                                                                                                                                                                      • Opcode ID: 6f91205ced5711e4090e4a0634995b8efc192ef3404d94e99f17bb35127df139
                                                                                                                                                                                                      • Instruction ID: f96c652471a9ef58866322908f9c1fa6e48d73d343e0594efb6da3239cb4e6ec
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6f91205ced5711e4090e4a0634995b8efc192ef3404d94e99f17bb35127df139
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E4B112729183218BC714CF68C4912AAF7E2FFD9314F19962CE4C95B3A4E7389D02C796
                                                                                                                                                                                                      Function 00426C76 Relevance: 1.8, Strings: 1, Instructions: 581COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}
                                                                                                                                                                                                      • API String ID: 0-3177197702
                                                                                                                                                                                                      • Opcode ID: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
                                                                                                                                                                                                      • Instruction ID: d2e23a67c1903cd1e9c185385271eb72bcb916f6a4fd91b19e1fe5de6aa7faac
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B122775B00226CBDB14CF68D8917AFB7B2FF8A300F5980A9C441AB3A5D7399D42DB54
                                                                                                                                                                                                      Function 00437B69 Relevance: 1.7, APIs: 1, Instructions: 227COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Object
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2936123098-0
                                                                                                                                                                                                      • Opcode ID: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
                                                                                                                                                                                                      • Instruction ID: c3200330e68ce6aff19a63fed1a4000c560c1f69ed3aeb6105e6dfa3e47a6751
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9C91C3B1E042548FCB18CF6CC89179EBBF2AF89310F2982ADD855AB391D7759C01CB91
                                                                                                                                                                                                      Function 009B7DD0 Relevance: 1.7, APIs: 1, Instructions: 227COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Object
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2936123098-0
                                                                                                                                                                                                      • Opcode ID: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
                                                                                                                                                                                                      • Instruction ID: 75188d750e61c871622489e59b3bd8b4f5820c0e8372dbca4daf9082779f6643
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FC91A3B1E042548FCB08CF6CC99179EBBF2AF89310F2982ADD855AB391D7759C01CB91
                                                                                                                                                                                                      Function 00432426 Relevance: 1.7, Strings: 1, Instructions: 458COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: J
                                                                                                                                                                                                      • API String ID: 0-1141589763
                                                                                                                                                                                                      • Opcode ID: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
                                                                                                                                                                                                      • Instruction ID: fda16036ad69fd6001319f3414ba3134900024cf57a0a68240a2308677c6b07d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 82127D71609AC18FE3158B38C591392BFE1AB66304F1CC9AEC4EACB387D63AD5068755
                                                                                                                                                                                                      Function 009B268D Relevance: 1.7, Strings: 1, Instructions: 458COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: J
                                                                                                                                                                                                      • API String ID: 0-1141589763
                                                                                                                                                                                                      • Opcode ID: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
                                                                                                                                                                                                      • Instruction ID: 939bada80e7e590ffd2277c4d6765597ad9bbb254515bd988978ebb25498166e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02128C71609AC18FE3158B38C991392BFE1AB66304F1CC9ADC4EACB387D63AD506C751
                                                                                                                                                                                                      Function 004374AB Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Object
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2936123098-0
                                                                                                                                                                                                      • Opcode ID: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
                                                                                                                                                                                                      • Instruction ID: 45239876aaa66c970168bcac432cbab02119562676560ecae2c3189c67bbcca7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6571C7B1E046508FC718CF6CC851359BFF2AB99314F2982ADD8999F3D2D6759C06CB81
                                                                                                                                                                                                      Function 009B7712 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Object
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2936123098-0
                                                                                                                                                                                                      • Opcode ID: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
                                                                                                                                                                                                      • Instruction ID: 854a21b2c3c0196bcbc196ed11ffadc19b4fd6ee1120fa42d5e7d28eb5eb23b6
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F871D5B1E046508FC718CF6CC891359BFF2AB85314F2982ADD8999B3D2D6759C06CB81
                                                                                                                                                                                                      Function 00435D13 Relevance: 1.7, APIs: 1, Instructions: 189memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AllocString
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2525500382-0
                                                                                                                                                                                                      • Opcode ID: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
                                                                                                                                                                                                      • Instruction ID: f2a30e19a756ef2febaf58aa14edd62971e43cb539abc4116fa3d4166735a6c9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 51913A21208BC28ED3268B3C88486157F915B67228F2C87DCE0FA8F7E7C6568107C366
                                                                                                                                                                                                      Function 0043443D Relevance: 1.7, APIs: 1, Instructions: 188memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AllocString
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2525500382-0
                                                                                                                                                                                                      • Opcode ID: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
                                                                                                                                                                                                      • Instruction ID: 615ca32909d59e4e98a0e547278d02967b49bf7f3b148c397c41720c4b96474d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
                                                                                                                                                                                                      • Instruction Fuzzy Hash: EB912C11208BC28EC326CA3C88586557F921BA7228F2D87DDD0FA8F7D7C7669507C766
                                                                                                                                                                                                      Function 009B46A4 Relevance: 1.7, APIs: 1, Instructions: 188memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AllocString
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2525500382-0
                                                                                                                                                                                                      • Opcode ID: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
                                                                                                                                                                                                      • Instruction ID: 67521833a3a8ee41b773fcb16e178366dbea5d0b9ccc1aed964b493301a775f7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0C912B21208BC28EC326CA3C88586557F921B67238B2D87DCD0FA8F7D7C7669507C766
                                                                                                                                                                                                      Function 0041BEE1 Relevance: 1.6, Strings: 1, Instructions: 341COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: ''
                                                                                                                                                                                                      • API String ID: 0-694448769
                                                                                                                                                                                                      • Opcode ID: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
                                                                                                                                                                                                      • Instruction ID: 51f56407e220038c845c571476400c53c6676d21aaa49407b98741bf0e440936
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 589124756483108BC3148F28CC912ABB7E2EFD5354F18D92DE8D58B391E778C945C79A
                                                                                                                                                                                                      Function 0099C148 Relevance: 1.6, Strings: 1, Instructions: 341COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: ''
                                                                                                                                                                                                      • API String ID: 0-694448769
                                                                                                                                                                                                      • Opcode ID: a548ca7d71b087bc765c9bc90a6e196857b17e46627d6a49092d6998d688bd5c
                                                                                                                                                                                                      • Instruction ID: 238355e21c58422c865c26639f4137340c5c109deeecc826bdb4f40feb2751be
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a548ca7d71b087bc765c9bc90a6e196857b17e46627d6a49092d6998d688bd5c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 259103B16183108BCB148F28CCA166BB7E2EFD5364F18D92CE8D58B7A0E774D905C792
                                                                                                                                                                                                      Function 00416ED0 Relevance: 1.6, Strings: 1, Instructions: 330COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: *+
                                                                                                                                                                                                      • API String ID: 0-2181965719
                                                                                                                                                                                                      • Opcode ID: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
                                                                                                                                                                                                      • Instruction ID: a6a176cfa994aee3612649f895d437fda5b17e7ce8ddb12fb8ae0738439bb6c9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0BB177B15093818BD7318F25C8917EBBBF1EF96314F18892DD4C98B391EB384446CB8A
                                                                                                                                                                                                      Function 0040DFE2 Relevance: 1.6, Strings: 1, Instructions: 311COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: UXY^
                                                                                                                                                                                                      • API String ID: 0-1486013802
                                                                                                                                                                                                      • Opcode ID: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
                                                                                                                                                                                                      • Instruction ID: d4a14a9f2c2f0854964ffc34a88a484fd9aac6a31bc7c6ca58301aeff22ad83a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B79135B5504B418FD315CF2AC990622FBA2FF96300B188AACC0D24FB56C738E816CF95
                                                                                                                                                                                                      Function 0098E249 Relevance: 1.6, Strings: 1, Instructions: 311COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: UXY^
                                                                                                                                                                                                      • API String ID: 0-1486013802
                                                                                                                                                                                                      • Opcode ID: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
                                                                                                                                                                                                      • Instruction ID: eb8569039a8395eabe316069a4a12334f0eea7789df2f239cdb0e3bebaa4374d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE9124B5604B818FD315CF29C990662FBA2FF96300B19869CD0D68FB56C739E806CF95
                                                                                                                                                                                                      Function 00427070 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}
                                                                                                                                                                                                      • API String ID: 0-3177197702
                                                                                                                                                                                                      • Opcode ID: 87ffeb648b9d3b2ccfc57117cdf1fc242bb3e2d04f71168daa08cd74ffe209e9
                                                                                                                                                                                                      • Instruction ID: 4e43b3032b5f77b82ebf5265758dd730748cf5b28328c74b298a748a547da810
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 87ffeb648b9d3b2ccfc57117cdf1fc242bb3e2d04f71168daa08cd74ffe209e9
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A2915635E04225DFDB15CFA8D8907AEB7B2FF4A300F9980A9D502AB351D739AD42CB44
                                                                                                                                                                                                      Function 00406000 Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: ,
                                                                                                                                                                                                      • API String ID: 0-3772416878
                                                                                                                                                                                                      • Opcode ID: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
                                                                                                                                                                                                      • Instruction ID: 01c58491163616012ee55187fd92943d7eb5500c339a617f16e03986bf466463
                                                                                                                                                                                                      • Opcode Fuzzy Hash: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 86B138711093819FD321CF18C88065BFBE0AFA9304F444A2DF5DA97782D675EA18CBA6
                                                                                                                                                                                                      Function 00986267 Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: ,
                                                                                                                                                                                                      • API String ID: 0-3772416878
                                                                                                                                                                                                      • Opcode ID: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
                                                                                                                                                                                                      • Instruction ID: 572876d909ae682c8f7ccd8bf0e696ee2cc5405db7c3d4bcd6c86c49255ee673
                                                                                                                                                                                                      • Opcode Fuzzy Hash: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4EB139711093819FD321DF58C88065BBBE4AFA9304F444E2DF5D99B382D635E918CBA7
                                                                                                                                                                                                      Function 00433930 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: d
                                                                                                                                                                                                      • API String ID: 0-2564639436
                                                                                                                                                                                                      • Opcode ID: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
                                                                                                                                                                                                      • Instruction ID: ef403fb1259512c9711d70f2e7d5f4cfd006a755ed026aeb3bab0d0ce1423d2c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 49816827759AD04BD7289E3C4C6127ABE830BD6230F2DD77EB5F68B3E2D56889018345
                                                                                                                                                                                                      Function 009B3B97 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: d
                                                                                                                                                                                                      • API String ID: 0-2564639436
                                                                                                                                                                                                      • Opcode ID: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
                                                                                                                                                                                                      • Instruction ID: 2ad601f40e52cd809d4c84dc3768e1b67a08d5dd3dcce5cbe7d09c83de4c0aca
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
                                                                                                                                                                                                      • Instruction Fuzzy Hash: EE812836759A904BD728DA3C4C612BA7A934BD7230F2DCB7DB9F68B3E1D5588A058340
                                                                                                                                                                                                      Function 00442A60 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}
                                                                                                                                                                                                      • API String ID: 0-3177197702
                                                                                                                                                                                                      • Opcode ID: bb21838f3ad10fc43b638198dd1134618e6e0b80ebbda8d61bfab39d96dcf556
                                                                                                                                                                                                      • Instruction ID: 6a93b08fa6992d126e12a7bd6c306b93c6ef3d764d3eda4b37502e868ad0b706
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bb21838f3ad10fc43b638198dd1134618e6e0b80ebbda8d61bfab39d96dcf556
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A581F0342043169FD724DF28C980A6BB3E1EF89324F58862DF9958B3A1E774EC11CB49
                                                                                                                                                                                                      Function 009C2CC7 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}
                                                                                                                                                                                                      • API String ID: 0-3177197702
                                                                                                                                                                                                      • Opcode ID: e9967d51fbd7d66a82ac835e53c8b6f5d839448025aa1fb83a89f7dd4b290d4c
                                                                                                                                                                                                      • Instruction ID: 92e5b20f72eec70d64513e9894186e1d898e3f4927ffa716c1c2a39b2e59bce8
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e9967d51fbd7d66a82ac835e53c8b6f5d839448025aa1fb83a89f7dd4b290d4c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3681AE34A043569FC724DF28C890B6AB3F5EF89360F14866CF9958B2A1E731EC51CB42
                                                                                                                                                                                                      Function 009C2A17 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}
                                                                                                                                                                                                      • API String ID: 0-3177197702
                                                                                                                                                                                                      • Opcode ID: 8ede958760def0fb47ef62c8d664d44c55fbe6b810f6c68a305d53f1873dda57
                                                                                                                                                                                                      • Instruction ID: 88439bc59a5046693a679eb8b51247cdcdce5b0c5bdfb4e6172df6fb8ed80e11
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8ede958760def0fb47ef62c8d664d44c55fbe6b810f6c68a305d53f1873dda57
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1819D34A052019BD724DF2CC890F6EB3E6EF99714F15866CE9958B3A0EB31EC51CB46
                                                                                                                                                                                                      Function 0042D830 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: "
                                                                                                                                                                                                      • API String ID: 0-123907689
                                                                                                                                                                                                      • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                      • Instruction ID: 6564e7b3ad14b453794cbf2f19722db2d5742acb1a2f8ce2a072c031a44184fe
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 23710432F083254BD714CE28E88071FBBE2ABC5710FA9852EE4958B391D239DD45878A
                                                                                                                                                                                                      Function 009ADA97 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: "
                                                                                                                                                                                                      • API String ID: 0-123907689
                                                                                                                                                                                                      • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                      • Instruction ID: f25e4ed786c95a87c444b269740ac4ff419fc555b0f6eb9cce93bbf9a2d81e77
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9571F532A093555BD724CE28C48031EB7F6ABC6720F2AC92DE4969BB91D374DD44CBC1
                                                                                                                                                                                                      Function 0041A900 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: _;=8
                                                                                                                                                                                                      • API String ID: 0-3640539833
                                                                                                                                                                                                      • Opcode ID: 1d81db7cde41a3e0fb3553ca3b72ed2fa4290f6dd7cddc566a2c3c75c2eae2db
                                                                                                                                                                                                      • Instruction ID: e58a9c241393c577c0dbf69e703309a02622358f74323d7420d86702d8d0d07f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1d81db7cde41a3e0fb3553ca3b72ed2fa4290f6dd7cddc566a2c3c75c2eae2db
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 245112B0521B008BC7249F25C8616B3BBF1EF52345B084E5DC4C38BB45E739A948CBA5
                                                                                                                                                                                                      Function 0099AB67 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: _;=8
                                                                                                                                                                                                      • API String ID: 0-3640539833
                                                                                                                                                                                                      • Opcode ID: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
                                                                                                                                                                                                      • Instruction ID: 6dabccabf2517a66c0009a084a557a761e71a0bcc1442933c484d61af9e8b875
                                                                                                                                                                                                      • Opcode Fuzzy Hash: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 005100B0511B408BCB289F29C8616B3BBF1FF52345B084E5CC4C38BA55E739A909CBA1
                                                                                                                                                                                                      Function 00997137 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: *+
                                                                                                                                                                                                      • API String ID: 0-2181965719
                                                                                                                                                                                                      • Opcode ID: 2bbcc82fd047366a200e277a7b52cff4fec95a2559de0f56e174b4bebb18c894
                                                                                                                                                                                                      • Instruction ID: b1743cbfaa13a6ef63b5928009b8f207d3eff511d5eaa8b6a9a65bcbb5cf9bdf
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2bbcc82fd047366a200e277a7b52cff4fec95a2559de0f56e174b4bebb18c894
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2C6120B140A3818BD7708F2584917DBFBE2AFD6318F54891CD5C89B254EB394146CB87
                                                                                                                                                                                                      Function 0043C9A0 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                      • String ID: H/}
                                                                                                                                                                                                      • API String ID: 2994545307-3177197702
                                                                                                                                                                                                      • Opcode ID: 729b3e7d6e3191008210f842740a6d9190df207d04178a60961e4fc3c3af6df3
                                                                                                                                                                                                      • Instruction ID: a4b821128decaa172c514915c42a23315f051a59fcda10375df645c6c4b50b9f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 729b3e7d6e3191008210f842740a6d9190df207d04178a60961e4fc3c3af6df3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DF417C759043146BE310EF24ECC1B6BB7A4EF89708F10942EF985A7251E735EC04879A
                                                                                                                                                                                                      Function 009BCC07 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}
                                                                                                                                                                                                      • API String ID: 0-3177197702
                                                                                                                                                                                                      • Opcode ID: 40df236e589d81010455b97f2d2192286a205d1063d17ff6a38768a85cdfa26a
                                                                                                                                                                                                      • Instruction ID: e9a67d2895c6d57035e8d72529f84c44a3d3bc0cf7b39f5f437ab0f0eb5ef6de
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 40df236e589d81010455b97f2d2192286a205d1063d17ff6a38768a85cdfa26a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A24139B5A043146FD7149F64DE41BABBBA9EFC5B14F24843CF98597290E732EC048B92
                                                                                                                                                                                                      Function 00440BAB Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: }I\
                                                                                                                                                                                                      • API String ID: 0-3759065986
                                                                                                                                                                                                      • Opcode ID: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
                                                                                                                                                                                                      • Instruction ID: 06326f033c1d303d2a0c44ae50e6a95f42fac71f38a9198839615570ed5a6674
                                                                                                                                                                                                      • Opcode Fuzzy Hash: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 653126605546928BEB258F34C8A27B7BBB0FF47310F144759C8C18B785EB78A992CB85
                                                                                                                                                                                                      Function 009C0E12 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: }I\
                                                                                                                                                                                                      • API String ID: 0-3759065986
                                                                                                                                                                                                      • Opcode ID: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
                                                                                                                                                                                                      • Instruction ID: 0bb79140d8abf3cd5e49775f61cf810c5f0cf4880cae26e905b76aecf4b744ae
                                                                                                                                                                                                      • Opcode Fuzzy Hash: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FC315C60554692CBDB11CF38C891BB6B7B0FF87314F144B5DC4C58B681DB38A592CB82
                                                                                                                                                                                                      Function 007936A3 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286759984.0000000000793000.00000040.00000020.00020000.00000000.sdmp, Offset: 00793000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_793000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: 56y
                                                                                                                                                                                                      • API String ID: 0-2099553924
                                                                                                                                                                                                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                      • Instruction ID: 5f5eddf9642938f3818f7ecd4eafbed59119c414067769c6f2d662bd49ce7e76
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E41161B2340101AFDB54DF55ECC1FA677EAEB89360B298065ED08CB316D679ED42C760
                                                                                                                                                                                                      Function 00998809 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}
                                                                                                                                                                                                      • API String ID: 0-3177197702
                                                                                                                                                                                                      • Opcode ID: 2f3d0f86c51dd52561bd956f66a0919b21b2b2791d13a1f53376856cb036d1a9
                                                                                                                                                                                                      • Instruction ID: a39e9ffca9deda2f3dc34645818be4146eeb2284f5504c35c6ca8f29e326980f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2f3d0f86c51dd52561bd956f66a0919b21b2b2791d13a1f53376856cb036d1a9
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3F11C674541220EEDA689F1E8DC2F3A3265FB47710FA4462CF176920E2DB7178518A2D
                                                                                                                                                                                                      Function 0043F0E0 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                      • String ID: H/}
                                                                                                                                                                                                      • API String ID: 2994545307-3177197702
                                                                                                                                                                                                      • Opcode ID: 59ed13ec8eb8bd8147eea6b0df157e6c9ae6c2307cf57b48e0fe75af3e9c5a7e
                                                                                                                                                                                                      • Instruction ID: 0c7a45b7bc69abfe1ea4a300e8af6adda297262347155a361b302868447e3dd6
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 59ed13ec8eb8bd8147eea6b0df157e6c9ae6c2307cf57b48e0fe75af3e9c5a7e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: AFF0D635904214BBD5104F49EC81D37737DE7CE768F141329E514122A2A732AD1186A9
                                                                                                                                                                                                      Function 009BF347 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}
                                                                                                                                                                                                      • API String ID: 0-3177197702
                                                                                                                                                                                                      • Opcode ID: f5d7cfea0e4e327b9eda319c71044655f3c20aae259e9c189ca88ac76d4abae3
                                                                                                                                                                                                      • Instruction ID: ae500c4bf1e86bd60beaf77795c04c57a3a4ee181bfb04998cea78b0b16b2b23
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f5d7cfea0e4e327b9eda319c71044655f3c20aae259e9c189ca88ac76d4abae3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9DF0D675500218BBC2104B499D81D7F77ADEBCE7B8F180328F41852161A322ED1097A9
                                                                                                                                                                                                      Function 009AB8B5 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}
                                                                                                                                                                                                      • API String ID: 0-3177197702
                                                                                                                                                                                                      • Opcode ID: 6146b7094830001aaaf13cb0f51437480e6ddd60403108575e1b98eecd2c1ab1
                                                                                                                                                                                                      • Instruction ID: 9225d8c72d719586763a0638983b1cc3a51ba6a980c3b1f959baca321618eb81
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6146b7094830001aaaf13cb0f51437480e6ddd60403108575e1b98eecd2c1ab1
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C5F090B5A08612DBD6189B18DC4263B73AAEFC3354F68492CE28517176D331AC51CA4A
                                                                                                                                                                                                      Function 00418672 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}
                                                                                                                                                                                                      • API String ID: 0-3177197702
                                                                                                                                                                                                      • Opcode ID: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
                                                                                                                                                                                                      • Instruction ID: c14077b8a130247762470a12415ef9365636b0c970e2bf5ce29861a99db5fcbf
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B2F08238502120EEC7588F189EC157D73A2F747311729147EC406A31A0DF34ACD2C90E
                                                                                                                                                                                                      Function 009958FA Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}
                                                                                                                                                                                                      • API String ID: 0-3177197702
                                                                                                                                                                                                      • Opcode ID: fba0dd296d97388ae8806046d0d018cb5991b0a5fc03ca011737e50afd9cac09
                                                                                                                                                                                                      • Instruction ID: ed47003cc5c48d8b4f995dab5c44c99606e59126c7a94ea4fb5a2e51d7930559
                                                                                                                                                                                                      • Opcode Fuzzy Hash: fba0dd296d97388ae8806046d0d018cb5991b0a5fc03ca011737e50afd9cac09
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6BF0E274A09611EFEB19CB0CD89163AB367FBC2320FDA863CE498470A4C3307C528B48
                                                                                                                                                                                                      Function 009A6BA7 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}
                                                                                                                                                                                                      • API String ID: 0-3177197702
                                                                                                                                                                                                      • Opcode ID: beb5adae6fff6175e383ddf1efeefbc8f00a994d28ce3fd0efda4cde5bc363b2
                                                                                                                                                                                                      • Instruction ID: 65f50cda4c7e2a7d13d3432d6b47dc123aa11ec1c53e7bde227439882e767667
                                                                                                                                                                                                      • Opcode Fuzzy Hash: beb5adae6fff6175e383ddf1efeefbc8f00a994d28ce3fd0efda4cde5bc363b2
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 08F08274A05011EFDB1C8B58AC42A3EF377FB87325F699124D515231A0D730BC119A88
                                                                                                                                                                                                      Function 0042B652 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: H/}
                                                                                                                                                                                                      • API String ID: 0-3177197702
                                                                                                                                                                                                      • Opcode ID: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
                                                                                                                                                                                                      • Instruction ID: 85f90f05b7cd9740f0dd11be4e47d539d37879f59d8f753959adedc7e492877d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 72E08678B18231DBD6148F05F99163AB3A1EFD7305F98543F904657620E334AC02C68F
                                                                                                                                                                                                      Function 0099F937 Relevance: .8, Instructions: 817COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: ee3c8babdd8ca27d4c7d2d50a63fd452c7c20a463d5d8a55cf4e65cb5b776805
                                                                                                                                                                                                      • Instruction ID: c433282d305ad9d363b69dd72fc96f1954d82c8e7d264cc44743587fc88ffb16
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ee3c8babdd8ca27d4c7d2d50a63fd452c7c20a463d5d8a55cf4e65cb5b776805
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F572C0B1618F808ED329CF3C8815397BFD6AB5A324F188B5DA0FA877D2CB7561018756
                                                                                                                                                                                                      Function 00402EF0 Relevance: .7, Instructions: 670COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
                                                                                                                                                                                                      • Instruction ID: f14b1a32a054cc5d02357b16e4139c05c7a1a12d214dcc5fef3fcda50377de84
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3C52F2715083458FCB14CF24C0806AABFE1BF89314F198A7EF8996B391D779DA49CB85
                                                                                                                                                                                                      Function 00983157 Relevance: .7, Instructions: 670COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
                                                                                                                                                                                                      • Instruction ID: 57e21ad51cb5042f87937b986a78fdecdc626d1d54792cb6fa71fa0a761c5b01
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6F52E1715083858BCB15DF28C0906AABBE1BF88718F18CA6DF8DA97351D778DA49CF41
                                                                                                                                                                                                      Function 00991BB6 Relevance: .7, Instructions: 666COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 37211a9a704324c1d47da4259e683596f8723382af120e69f7f272388f5a9581
                                                                                                                                                                                                      • Instruction ID: d5f49610221094867335b0d538627fffa87d2a4724181b6e689060f6abc22bd7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 37211a9a704324c1d47da4259e683596f8723382af120e69f7f272388f5a9581
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BA42C7B1A04B408FDB14DF3CC88536ABBE1AF95310F188A2DD5AB873D2D639E446C752
                                                                                                                                                                                                      Function 00406850 Relevance: .7, Instructions: 665COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 8e90048c5e85cf3c38a1b76a8b8bc06c7f3e5a8f31bed9412d846d1be308970a
                                                                                                                                                                                                      • Instruction ID: 65e2e910a3c29fe674c350ea84f17f1873166e83f436a48a2f56d7b4a0c34cae
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8e90048c5e85cf3c38a1b76a8b8bc06c7f3e5a8f31bed9412d846d1be308970a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7652E270A08B848FE731DB24C4847A7BBE1EB52310F15483ED5EB167C2D37DA9958B4A
                                                                                                                                                                                                      Function 00986AB7 Relevance: .7, Instructions: 665COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: ac5a0a914cdb46c0dd636e39918af3488c68668d3e5188023bb58f14171f3048
                                                                                                                                                                                                      • Instruction ID: cc27748a37bfbc548b298bdb87a8e871d583ffcf56d6f8dc60e04dca0362f713
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ac5a0a914cdb46c0dd636e39918af3488c68668d3e5188023bb58f14171f3048
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BD52B170A08B848FE735EB64C4843A7FBE5EB51314F244C2ED5E70AB82C379A985D716
                                                                                                                                                                                                      Function 0043080E Relevance: .6, Instructions: 614COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
                                                                                                                                                                                                      • Instruction ID: 7a46f96e6aa3aa7fe73ff395c1311c5ab64b68b87e261d37d1a00d802d05be89
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9942B4B0505B809FD315CF39C996793BFE1AB56314F18CA9ED4EE8B382C2399445CB91
                                                                                                                                                                                                      Function 009B0A75 Relevance: .6, Instructions: 614COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
                                                                                                                                                                                                      • Instruction ID: b7171abad8f107ea971ed2c68e7ea4549d8cbf915ce1298a83bc52f213fbf26c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9D42B3B0505B809FD315CF39C996793BFE1AB56310F18CA9DE4EE8B386C2399445CB92
                                                                                                                                                                                                      Function 00407620 Relevance: .6, Instructions: 612COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
                                                                                                                                                                                                      • Instruction ID: ccb3959594043c792932c0cfc7d39f61c3b1d77d2143a35f25ab615b2c98e1b5
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9812B432A0C7118BD725DF18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87
                                                                                                                                                                                                      Function 00987887 Relevance: .6, Instructions: 612COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
                                                                                                                                                                                                      • Instruction ID: 9ee0fb1c1063e647f4789f00af2e73f2c0ffa8bac450490ab1123a02402699fb
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
                                                                                                                                                                                                      • Instruction Fuzzy Hash: AD12B332A0C7128BC725EF58D8806BBF3E6AFD4315F29892DD9C697385D734E8118B52
                                                                                                                                                                                                      Function 00403900 Relevance: .6, Instructions: 600COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: ba850d03f0ab7e2665174e53d7acfed008f992a92a5e68a4f1054f1f90159d3f
                                                                                                                                                                                                      • Instruction ID: 8ec60f5116ed2b9ea6bd41125fce4102d17c63a0885b3531693fd8b8e290e5dc
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ba850d03f0ab7e2665174e53d7acfed008f992a92a5e68a4f1054f1f90159d3f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 09322370914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7B90D73AF945CB18
                                                                                                                                                                                                      Function 00983B67 Relevance: .6, Instructions: 600COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 302ca6eb955e12cdbb1b2a3d679feaf83e016e060d4fed8bf4a7c2766afae2b3
                                                                                                                                                                                                      • Instruction ID: eef1d57c241072994ead6ee91c7e5b48d03dcb1086263eebe0dd7096fa399e2f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 302ca6eb955e12cdbb1b2a3d679feaf83e016e060d4fed8bf4a7c2766afae2b3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D7322570915B128FC368EF29C58052ABBF1BF55B10B608A2ED6A787F90D736F945CB10
                                                                                                                                                                                                      Function 00441B20 Relevance: .5, Instructions: 485COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 06681fd06d7842ada82dae78e60d469ed9d6c6833ec0578904e50dff9852b5ef
                                                                                                                                                                                                      • Instruction ID: 0c2c903ba8ab9d1616d7dcc2afe94072de716e40dc01c7b757aa9311b81398a3
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 06681fd06d7842ada82dae78e60d469ed9d6c6833ec0578904e50dff9852b5ef
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41E1ED35609340CFD348CF68E89062BB7E2FB8A315F19897DE98687362D738E945CB45
                                                                                                                                                                                                      Function 0040E9B0 Relevance: .5, Instructions: 474COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
                                                                                                                                                                                                      • Instruction ID: 0d842de8c269587a107e17bcba800491c000644a8f7bd6d00a783dd33ebb532c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D123CF0900B00AFC360DF39D946797BFE8EB46360F144A2EE5EE97281D73561158BA6
                                                                                                                                                                                                      Function 0098EC17 Relevance: .5, Instructions: 474COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
                                                                                                                                                                                                      • Instruction ID: bf6f1b3bed0a91f308c850a735d64f6e8a2f9f0341cdab177fefda3409ebc63e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D0121DF0904B00AFC360EF39D946797BFE8EB46350F144A2EE5EE87381D63561058BA2
                                                                                                                                                                                                      Function 00405AB0 Relevance: .4, Instructions: 448COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 782d56cc06f3b6973921e2512ebb950397a26f9326316825ec2b076d036e3b03
                                                                                                                                                                                                      • Instruction ID: c31a76099084191e3034c22a37ea28885ef806c0d431935db3893f7feff996f6
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 782d56cc06f3b6973921e2512ebb950397a26f9326316825ec2b076d036e3b03
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 92F1DE356087418FC724CF29C88066BFBE6EFD9300F08882EE5D597791E679E845CB96
                                                                                                                                                                                                      Function 00985D17 Relevance: .4, Instructions: 448COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
                                                                                                                                                                                                      • Instruction ID: 13f4b52172001a6572604426562431025748e6c32b68443850f2bc3310618fdd
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2F1BD366087418FC724DF29C88076BFBE6AFD9300F48892DE5D987351E635E849CB96
                                                                                                                                                                                                      Function 00441BB0 Relevance: .4, Instructions: 434COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 77e2c5d0afb397b189f10b5a8afc673ab41116975c883d7e1e0ede4eb514e053
                                                                                                                                                                                                      • Instruction ID: 324ad5c95dff1901f2f9d6c111dcb15fcefbb6efdba5ce0306a944ad1c6f7bef
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 77e2c5d0afb397b189f10b5a8afc673ab41116975c883d7e1e0ede4eb514e053
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F0D1EC35619341CFD348CF28D89062BB7E2EB8A315F09897DE98687362D738E945CB45
                                                                                                                                                                                                      Function 00441C40 Relevance: .4, Instructions: 426COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: f50f095729c1c5a2da103129e24be9725e6393a4e914a9abcda81a05e9b3429f
                                                                                                                                                                                                      • Instruction ID: dc21f79cdc73c015b7bd86b7114b814d04dcd303e05c17d6c0f759f64c7459c0
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f50f095729c1c5a2da103129e24be9725e6393a4e914a9abcda81a05e9b3429f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D4D1ED356193408FD358CF38D89062BB7E2EBCA315F09897DE88687392D738E905CB46
                                                                                                                                                                                                      Function 0041D400 Relevance: .4, Instructions: 389COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 72020315f9591e10a925340aaa42bd314528023c988bae550c98a300e050c010
                                                                                                                                                                                                      • Instruction ID: 381d8ba9b41755d1dc6d15d311edfbcab53db212d726a0c48d74eb4341d637bc
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 72020315f9591e10a925340aaa42bd314528023c988bae550c98a300e050c010
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 63C146B5908300AFD7109F24DC81B9BBBE2BFD5354F148A2EF4E8932A1D77998458B46
                                                                                                                                                                                                      Function 0099D667 Relevance: .4, Instructions: 389COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 24456b8a2a5717e075ed712887d6e124a34d9247993dd7218bbcb4bbbbc13bbd
                                                                                                                                                                                                      • Instruction ID: da20cd8a434c1ddfa364a1dfbee4fec3dd466f80b0e7a8e22237981b6984b510
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 24456b8a2a5717e075ed712887d6e124a34d9247993dd7218bbcb4bbbbc13bbd
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 51C1F875909301AFDB109F68CC81B1ABBE2BFD5321F148A2CF8D8932A1D7769D15CB52
                                                                                                                                                                                                      Function 00432B24 Relevance: .4, Instructions: 382COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
                                                                                                                                                                                                      • Instruction ID: 1ceb5ad02d8bbd155c1732c87becb70ba2bb68f476a2c3c7809d4ed59241557d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4CF13B72605B808FD315CB3CC8513A6BFE2AF9A314F1C866DD1EB8B392D679A805C715
                                                                                                                                                                                                      Function 009B2D8B Relevance: .4, Instructions: 382COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
                                                                                                                                                                                                      • Instruction ID: 0e2d111bd48ede4c78b5c697ff2c82409be89b45f8caa1d2bebaf92d3a7317c9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2FF11B71609B818FD315CB3CC8917E6BFE2AF96314F1D8A6CC1EA8B392D635A446C711
                                                                                                                                                                                                      Function 004354C4 Relevance: .4, Instructions: 379COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
                                                                                                                                                                                                      • Instruction ID: 3f1c9d1a024df14266348ce370e510d7f88b70138a1f1607deade05ec74f5600
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3DF19B62625AC18FE3158B3DC811396FFE2AB66304F1CCAAED0D9CB787C12DE5418B55
                                                                                                                                                                                                      Function 009B572B Relevance: .4, Instructions: 379COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
                                                                                                                                                                                                      • Instruction ID: 0529d17075d3eb5ecf0abcc738523c37bd0d8364c4a5245910e3d074b536f1ca
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 10F19B62629AC18FE3158B3DC811392FFE2AB56304F0CCAAED0D9CB787C16DE5418B55
                                                                                                                                                                                                      Function 00994E87 Relevance: .4, Instructions: 352COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 784a6082fd36e0f2db424425c66ea396cbe7c3108031eaa283b40557bcb29b39
                                                                                                                                                                                                      • Instruction ID: 916e6ea41b9e7b5b592d9c9df0420879b4fb3b260aad3911d55d43f1bdab2f7e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 784a6082fd36e0f2db424425c66ea396cbe7c3108031eaa283b40557bcb29b39
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F8135B2A1831187DB25DF28CC92B6B73E1EFD1314F09852CE8868B795F7789905C792
                                                                                                                                                                                                      Function 004121DB Relevance: .3, Instructions: 328COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 5a9f635dd852b41b7c60ed20ba741a58096cfaa4ee9890b2400d9fe663f5cf59
                                                                                                                                                                                                      • Instruction ID: d9e51bed8acac8e2edf38fb82beeca54912ebc64a1188df36e5052ebbd943c0e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5a9f635dd852b41b7c60ed20ba741a58096cfaa4ee9890b2400d9fe663f5cf59
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F3C117B5604B408FC7109F38D5D13A6BBE1AF55314F18893ED4EBCB382E679A456CB06
                                                                                                                                                                                                      Function 00992442 Relevance: .3, Instructions: 328COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
                                                                                                                                                                                                      • Instruction ID: 3663af191463663e8a3d86665842b1a154acd7258e87466bd646799723e8c6da
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02C1C7B5604B408FD724EF3CC8D1366BBE1AF95314F18893DD4DA87782E636A405CB52
                                                                                                                                                                                                      Function 0041D0C0 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 261da269869b40bfe185e36c4caea727d5cf95f090471bfb73278ec76fa3dc74
                                                                                                                                                                                                      • Instruction ID: caf67132f2853a10be2cec12a01a7e8acbb33fc6e304049243772e7507394de4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 261da269869b40bfe185e36c4caea727d5cf95f090471bfb73278ec76fa3dc74
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 36913B72A082614BC715CE28C89169FBBE1AB85324F19867DECF95B3D2C238DC45D7D2
                                                                                                                                                                                                      Function 0099D327 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 56f92c23f4de9e7d5ead2b134e5edb7bf87a3dc66531e3755251521cd286cddd
                                                                                                                                                                                                      • Instruction ID: a65fa5ec6993b8759e6c96cd38e57e9a148b1712cb78313afc021d1a7a3ce5f5
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 56f92c23f4de9e7d5ead2b134e5edb7bf87a3dc66531e3755251521cd286cddd
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 54915A72A082614BCB15CE2C889075FBBE1AB95324F19867CECF98B396C235DD05D7D2
                                                                                                                                                                                                      Function 004063C0 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
                                                                                                                                                                                                      • Instruction ID: b5a54add573a1b485231af3f9cb3d4e6e0a3023674c66bc51678a471f8a90890
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35C15BB29087418FC360CF28DC96BABB7E1BF85318F09492DD1DAD6342E778A155CB46
                                                                                                                                                                                                      Function 00986627 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
                                                                                                                                                                                                      • Instruction ID: ef531d858a39a52c8ef0e9660e87148da7b80cc21535352ddf95a580d1f5f1e2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C2C14BB29487418FC364DF68CC96BABB7E1BF85318F08492DD2D9C6342E778A155CB06
                                                                                                                                                                                                      Function 00428B67 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 445fa7bb5657631e2454b87089e2e6838ddfea7a1e3368e0ef13d83bf20e4199
                                                                                                                                                                                                      • Instruction ID: bb3a0c3427b6ad34a24ef151da1f5bba878f0071efde783ca6760e8be5e6876f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 445fa7bb5657631e2454b87089e2e6838ddfea7a1e3368e0ef13d83bf20e4199
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BFA122356087A1CFD7248F38A85136E77A2FF8A320F09866DE5A5873D1DB34AD10CB85
                                                                                                                                                                                                      Function 00408360 Relevance: .3, Instructions: 293COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
                                                                                                                                                                                                      • Instruction ID: e04948112db42d3daa275aef66cee61d38744a578a2e7a742b1881ec96335045
                                                                                                                                                                                                      • Opcode Fuzzy Hash: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A915B31A083564BC3119E24CA8425BBBD2ABC1310F19CA3ED8D1A73E9EE7DDC458BC5
                                                                                                                                                                                                      Function 009885C7 Relevance: .3, Instructions: 293COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
                                                                                                                                                                                                      • Instruction ID: cbe16572d5ac413135957af00dfbc090216f0cd2750e1d81cf10c701f1046112
                                                                                                                                                                                                      • Opcode Fuzzy Hash: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F5915071A0C3564BC311AE24C444257B7E6AFC1310FA9CA68D8E5973E9FE78DC458BE1
                                                                                                                                                                                                      Function 0043F820 Relevance: .3, Instructions: 254COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 65fb0a9cf5c7a5beba6f5b7964eaa3617ac053cdeb6c41b82f3fd792d2c361b3
                                                                                                                                                                                                      • Instruction ID: fae485aafa8165bbfa862cfdd16e6316f883ffda102aca194f523248728328e0
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 65fb0a9cf5c7a5beba6f5b7964eaa3617ac053cdeb6c41b82f3fd792d2c361b3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D381B47160C3828FC319DE28C49062BBBE2AFC9314F198A7EE4D58B391D735D84AC756
                                                                                                                                                                                                      Function 009BFA87 Relevance: .3, Instructions: 254COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
                                                                                                                                                                                                      • Instruction ID: da84e792dc18c28003d81eba2d6934b24d5e81ad18748f035c6a441ebd5dda54
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6681947120C3918FC319CF28C9A066ABBE2AFD5324F188A7DE4D98B391D735D845CB52
                                                                                                                                                                                                      Function 00429ADE Relevance: .2, Instructions: 243COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: ff27bef942aa076814158b0aae043ce6e7546daa84f1ffa5fe42400bbafb5509
                                                                                                                                                                                                      • Instruction ID: c17fc45f9444ad44d9f96848d075c221a78d48c9dc0fb9f00e6e29a18ae657e2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ff27bef942aa076814158b0aae043ce6e7546daa84f1ffa5fe42400bbafb5509
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C97167B2A087248FD7088F29D85133BB6D2ABC5314F49467DE8969F392DB349C01CB86
                                                                                                                                                                                                      Function 0042DBF0 Relevance: .2, Instructions: 240COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
                                                                                                                                                                                                      • Instruction ID: 3091657ee4cced5851ca4dbba440f74af0969c41cbc5f8964205a207b597f97a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5771BAB450D3E08AE7358F25A59839BBFE1AFA3304F584A5DD0D90B392C735440ACB9B
                                                                                                                                                                                                      Function 0040CFEC Relevance: .2, Instructions: 234COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
                                                                                                                                                                                                      • Instruction ID: 6f13f5d4f3e8c77ab841d9a888d2aead65439f765ee3ddc41d93c1b162d9100a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5B516A726057008FD329CF38CC92B577BA3AFD6314B1D866DC4964B796EB39A406C744
                                                                                                                                                                                                      Function 0098D253 Relevance: .2, Instructions: 234COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
                                                                                                                                                                                                      • Instruction ID: 5b9cccc4fc38eccbcf0cd2bc5d8ebfc27a3a0210df6bc3f2b0433fae6dd1f764
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DF515972645B008FD329CF38CC82BA67BA3AFD6310B1D866CC5964B7D6DB39A406C750
                                                                                                                                                                                                      Function 0041DCB0 Relevance: .2, Instructions: 221COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
                                                                                                                                                                                                      • Instruction ID: 4a8760de8a520384406f5fad9824bc60f729446c1310b2ee7c15e8b6ebb7b759
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A5616E37B49A8047E72C8D3C5C5129ABA834BD7330B2DC77EE5B58B3E5D9A94C424345
                                                                                                                                                                                                      Function 0041A690 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
                                                                                                                                                                                                      • Instruction ID: b37770cdf87477bf2dfa5a22c66fb25a4c567325bff618d86bd3e0eb2f8cdddf
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D8610737B668904BD7249A3C4C112EA6A130BD733473DC376E974CB3E6C62A8C564396
                                                                                                                                                                                                      Function 0099A8F7 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
                                                                                                                                                                                                      • Instruction ID: b6b66343f0c1ac7657bf70f2d3104d3ce4005f89667322036c275764511d2969
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A8610437B2A9914B9F248A3C4C412AA7A535BE733473EC376A9B5CB3E5C6268C0543D1
                                                                                                                                                                                                      Function 0042BBA0 Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
                                                                                                                                                                                                      • Instruction ID: 8f9bf87213cc9725e7ca00057ce5f8087594d7d424e623d20a35489e4cd6523a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3861EA317186254BD7249D2DE8C026BB7D2EBC5330F99872EE4B49B3E5D7389C418789
                                                                                                                                                                                                      Function 009ABE07 Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
                                                                                                                                                                                                      • Instruction ID: ecbcae1b520f344b712e56b1021c19e64dc3656b1945c35e7d84cbdc0c07d3f3
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9361E5727083518BDB249E2DC88026AB7D6AF87734F29872CE5B48B3E6D7718C4587C1
                                                                                                                                                                                                      Function 0041B484 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: d108ec3c31a6e082106ec2641685d2f0cef7a999d2fab56a64d23736b280515b
                                                                                                                                                                                                      • Instruction ID: 00f4e2759825dcf10c6fc0e57a4f65ea5fa50f8fe0cbaea4274dafa2f605c2a9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d108ec3c31a6e082106ec2641685d2f0cef7a999d2fab56a64d23736b280515b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BA4128726147414BD3298B35C8A23B3BBA3EBA6304F1C846EC4D38B756DB3DA50B8754
                                                                                                                                                                                                      Function 0099B6EB Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 50e165b6bb7c753b88c47e3f014378d88afe1eccc8203488f2895be52c8ee4ce
                                                                                                                                                                                                      • Instruction ID: 780123b44e5327dcebd77b823a4aa753c4933273680ce51b92491fdb0ab844fc
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 50e165b6bb7c753b88c47e3f014378d88afe1eccc8203488f2895be52c8ee4ce
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8415A36A147814BD7298A39C862773BFA7ABE3304F1C846DC4D38B652DB3DA50B8710
                                                                                                                                                                                                      Function 0040CA62 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
                                                                                                                                                                                                      • Instruction ID: 618579726118e679aa1534d0b4440190eb114bb965ab7fb83873a39d39203c85
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3E5136766083118BC718DF64D89266BB7E2FFD4304F18DA2EE4C69B390DB749801C786
                                                                                                                                                                                                      Function 0041B667 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
                                                                                                                                                                                                      • Instruction ID: 6085e876b09a2a4ee967cc73ad16ecd698c2875847a3188e517866274535cc44
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6E4129726547414BD32A8A35C8623B3BB93EBE2304F1C946EC4D387792D77D940B8354
                                                                                                                                                                                                      Function 0098CCC9 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
                                                                                                                                                                                                      • Instruction ID: dc322ddf3e7b36638a2b874c3236a76e251bf7b489d9f7eaccedf3322c706991
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5A5122766083118BC718DF64C89166BB7E2FFD8304F19992DE8C69B391DB749801CB86
                                                                                                                                                                                                      Function 0043ACB0 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
                                                                                                                                                                                                      • Instruction ID: 0c6b8ba10c1c17cacf5a651755a68f3586d4d6297ac1e50e8e02080b14342633
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D0515DB15087548FE314DF29D49535BBBE1BBC8318F044E2EE4E987351E379DA088B96
                                                                                                                                                                                                      Function 004418A0 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: d4a7be8d6558c3dd8f1df628cb5b2d23227bc2ad90207996850777d529df786d
                                                                                                                                                                                                      • Instruction ID: 26aced47306ba8243eb9efc204361966fa7a7ce3dd7d84c478a3f5587c373eec
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d4a7be8d6558c3dd8f1df628cb5b2d23227bc2ad90207996850777d529df786d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: AC514939A08311CFD7109F64D89026AB3E1FB8A315F0D847ED48997360D339D886CB4A
                                                                                                                                                                                                      Function 00402210 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
                                                                                                                                                                                                      • Instruction ID: 08a7e479931a5a61fa7b69175e4513341166876bb814eb369fc510c4807828e1
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6651C1B19047019BD3109F389D4871BB7A4BB85338F14473DE8A9A73E1E378E915CB8A
                                                                                                                                                                                                      Function 00982477 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
                                                                                                                                                                                                      • Instruction ID: e641455eed037525d5ce0b4308f6aec67dbd6a78cde202489a881ed6386e47e4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3951BFB19047419BD320AF28DC4471AB7A5AF86338F144B3DF8A9973E0E731E915CB86
                                                                                                                                                                                                      Function 00436610 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
                                                                                                                                                                                                      • Instruction ID: 54c58fb9e562efe4acf2d46a46492020a6cdaf8e3d7bcc25f04f53f15c8a0988
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 435169377499A15BD7288A3C5C222667A830BEB238F3ED76FE4B1CB3E5D55C88024345
                                                                                                                                                                                                      Function 009B6877 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
                                                                                                                                                                                                      • Instruction ID: a2bd3848c97eff718e1837f5a70976b88357cd952f78d5b35b7f17957e301435
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 515127337599904BDB288A3C5D622A67A874BE3334B2DC77EE4F5CB3E2D56D88058350
                                                                                                                                                                                                      Function 0043CB40 Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
                                                                                                                                                                                                      • Instruction ID: 871487b85ee081f61f96075d83eee7838f6093090311bf861c268766400ad4d7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6751E573E159304BD7249D7D9C8125BBA926B86330F2A833AED75EB3D0D6389D0143C5
                                                                                                                                                                                                      Function 009BCDA7 Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
                                                                                                                                                                                                      • Instruction ID: 7717e5b516f244f475bb94854edfda35c2bdd0a8e8002dcce0d4799de1e55267
                                                                                                                                                                                                      • Opcode Fuzzy Hash: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FE51C173E159204BD7249D7D8C812ABBA926B86730F2A8379ED75EB3D0D6349D0143C1
                                                                                                                                                                                                      Function 00441FB0 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 4446f949f807e9ee458c4b6688f05107c71ff2d1919e574c04fb78a3db1697f2
                                                                                                                                                                                                      • Instruction ID: 6705176f642ca22527a1125600c687b766c57a0aa9d8b170dddf9af2695ae971
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4446f949f807e9ee458c4b6688f05107c71ff2d1919e574c04fb78a3db1697f2
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0251133421E340DBD3888F38D9A066BB7E2FB86315F48897DE4C687291D335D85ACB45
                                                                                                                                                                                                      Function 009960EF Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 29d48deba50488b5831cc48becd701077cdc31f4289528a70b5869d65e44ecfb
                                                                                                                                                                                                      • Instruction ID: 170642b6fee6ae128203855f86753c1854fec99e25b4f84603d71f0bb8fefcb9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 29d48deba50488b5831cc48becd701077cdc31f4289528a70b5869d65e44ecfb
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 225129B29082415FDB24CF2CC8D177ABBE5AF95304F084A3DE0DAC7292E635D945CB42
                                                                                                                                                                                                      Function 009C2017 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 0babd5f88c635bffeceb70a9eb6c40063d50fae8a59a64af2ce8687b780a5886
                                                                                                                                                                                                      • Instruction ID: 0bfde7720873f25436b903319e26c365a58b2819fcc8600850ea1e27ba81238a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0babd5f88c635bffeceb70a9eb6c40063d50fae8a59a64af2ce8687b780a5886
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B531E73150C3804FD304DF39889262BFBE6ABDA314F59D92ED491CB266D638D501CB42
                                                                                                                                                                                                      Function 0040A05C Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
                                                                                                                                                                                                      • Instruction ID: 0879eb64182fa33bd680848163e7b412a319af03fbceb7a9ba4b6aa96abc02f2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 51416033B106518BC71C8E68C9923AAFBA3FB8A310B1E523EC955AB785D77C9C1147C4
                                                                                                                                                                                                      Function 0098A2C3 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
                                                                                                                                                                                                      • Instruction ID: 322edc513697021798738e8a7036704d045bc5a62d86abf3c3b9483757511a21
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 64416233B109518BD71C8E78C8A23AAFBA3FB8A31071E522EC955D7755D7789C024BC4
                                                                                                                                                                                                      Function 0041B243 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
                                                                                                                                                                                                      • Instruction ID: f81eb2cd5989d868f824b990d4dd2db3b11f7867acd7d29f2a686ef0f787acd2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE3101312047908BCB288F29C4913ABBBF1DB5A314F18596DC1D787782C33DA8868B58
                                                                                                                                                                                                      Function 0099B4AA Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
                                                                                                                                                                                                      • Instruction ID: e2d8909c05763fd68b51f248a5456e1daaefa17e98282b430c95014d454825d1
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F131F5312047818FCB288F29D5A17ABBBF1DB5A314F18556DC1D787782C37EA846CB54
                                                                                                                                                                                                      Function 0041AB2A Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: dd2de309bfda2136c0d462cb6aa5ae00d2b6fecf143226232f91c3f973c32b9d
                                                                                                                                                                                                      • Instruction ID: 6e138cb6fd9e5e0f0caf11801ec2ce96e74ed1cdd16602e21eaa68cbd0470f93
                                                                                                                                                                                                      • Opcode Fuzzy Hash: dd2de309bfda2136c0d462cb6aa5ae00d2b6fecf143226232f91c3f973c32b9d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F52128705086C28FD7258B34C8507F3BBA1EF63308F18149ED1C387243E769A55AC769
                                                                                                                                                                                                      Function 0099AD91 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: a2ce6c0da914478739eba616fd4154f3e88796775ada538367235ffdeb7569ea
                                                                                                                                                                                                      • Instruction ID: 49f9a2e109cabc4f4b75be5264d714b91e782b265f194515bc08a0781150e268
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a2ce6c0da914478739eba616fd4154f3e88796775ada538367235ffdeb7569ea
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D4213A704186C29FDB258B38C850BB6BBE4EF63309F28189DD1C2C7543E725A519C7A5
                                                                                                                                                                                                      Function 00402B20 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
                                                                                                                                                                                                      • Instruction ID: 049965bb47efd5a04a2fd3c18b74188d46e65301c4fa73dca4455e1bd43b6f7b
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9921D4382581B10BD7188F3C98F4577F7A0A787312729027FEBC2933D2D668A9559668
                                                                                                                                                                                                      Function 00982D87 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
                                                                                                                                                                                                      • Instruction ID: a90a793f763372d776a0c1bfcf6eba1159f0281e2d70e835fe908408029447a8
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A72105392581B10BDB189F3898F0576F791E78731272A067FEAC2C3382D2149D55C768
                                                                                                                                                                                                      Function 0098BA6C Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 7049adb2f7025235c58f023c4660da274fa3317cab2b6e39ac701c24428ad074
                                                                                                                                                                                                      • Instruction ID: 4b339c5b24b525fe7820ec1bde7ef54da1b7f5f1824e8b86316a56aa40b2a47f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7049adb2f7025235c58f023c4660da274fa3317cab2b6e39ac701c24428ad074
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DE21DB71601B408FE721CF22C8913A3BBF2EB95314F09892DC0C297A55CBB8A0068B44
                                                                                                                                                                                                      Function 00438520 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                      • Instruction ID: 11cf033bb50aef6adb2bbe7b02e6cb6781f41557c363ff6b9b8f28e1f234bab9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8B11A933A052D40EC3168D3C8840565FFE30AD7635F69939EF4B49B2D2DA2ACD8A8359
                                                                                                                                                                                                      Function 009B8787 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                      • Instruction ID: 4733b3c55f50d8cd4213b1c0e712a05f0b497058fbf59409bf2df74b14978628
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0411E933A051D54EC3168D3C89405A6BFA70A97778F694399F4B49B2D2CE238D8AC750
                                                                                                                                                                                                      Function 0042BB00 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
                                                                                                                                                                                                      • Instruction ID: 60ee57cc75265846ada0afa1f54ef24058dfca82aab4f0d1b8d5b1c2d5a04392
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 46019EB1B00B1157DB209E11A8D0B27B7A8AF85708F58443EE8445B746DB79FC05C2D9
                                                                                                                                                                                                      Function 009ABD67 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 704165ecad2831eee6818578ecb7b66d087a772bcbae644b5281e1cc38099ed0
                                                                                                                                                                                                      • Instruction ID: 7c1eb750229ea993fc32df0cf0112091a0019f35ec7b85141976246304d5e825
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 704165ecad2831eee6818578ecb7b66d087a772bcbae644b5281e1cc38099ed0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 05017CF160070147E720AE6595C1B3BB2AEAF92B10F18442CE94957783DFB6EC0587E1
                                                                                                                                                                                                      Function 0041B184 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
                                                                                                                                                                                                      • Instruction ID: c9cc8284e85fe6abf120993d5689944f48ac7ce1a7ddbbf0d82d0496898c4a81
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6911D331104B508FD7248F25C8243A7BBE1AB56318F198A5DC1E7877D1DB7AE1098B44
                                                                                                                                                                                                      Function 0099B3EB Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
                                                                                                                                                                                                      • Instruction ID: 5aeb589278012f9a2ba1082155adcef7425af4d824eed9e1d515929e776d1b12
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0811D331104B508FD7248F29C824377BBE19B56318F198A5DC1E787AD1DB7AE10A8B40
                                                                                                                                                                                                      Function 0041B173 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
                                                                                                                                                                                                      • Instruction ID: f399462e58419c9d3019aec57572db2d86c2935946d127ab36988b8cbde57321
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6A0171745082828FD7128F2994206A6FBE0EF63314F1896C7D4D58BA83C368A985C7A9
                                                                                                                                                                                                      Function 0099B3DA Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
                                                                                                                                                                                                      • Instruction ID: f60de2d2b77620555902499183807bc098024076998192f3db4a3ff2058d160e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 00017C641092C28FEB128F28D550BA6FBE0AF63314F1896C6D4D58F6C3D3689949C765
                                                                                                                                                                                                      Function 0041B882 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
                                                                                                                                                                                                      • Instruction ID: 925483313e90eaab4478f3efb897dfea373d722ea9097d537696ebe3f586dc89
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B90184305082C28ED7128F2984207A6FFA0EF63314F1895C7D4D58F6C3C3689985C7A9
                                                                                                                                                                                                      Function 0041BB21 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
                                                                                                                                                                                                      • Instruction ID: ce15afb6e8349f4df79a6844a38630f2605c57d7838470a331403b3b5471d388
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6D01F2745082828EEB128F29D0107A7FBE0EF63314F18969AC4D58F6C3C379D885C7A9
                                                                                                                                                                                                      Function 0040C3EC Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
                                                                                                                                                                                                      • Instruction ID: c0b4a7645aed046faff80445a1a00849260a9e0a604dc3165cb580035c2becad
                                                                                                                                                                                                      • Opcode Fuzzy Hash: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C5110C7025C3808FD7148F54D9D576BBBE1ABD2304F244A2CD5C127292D7F5890987A7
                                                                                                                                                                                                      Function 0099BAE9 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
                                                                                                                                                                                                      • Instruction ID: d515753c9ff67a1313aa130a68f4ee6e47fdb068fb0648f9388ca5be41421160
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9A01AD601092C28FEB128F2C9520BA6FFE0AF63324F1C96C6D0D58F6C3D3689949C765
                                                                                                                                                                                                      Function 0099BD88 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
                                                                                                                                                                                                      • Instruction ID: 7f0368efdcc5b284af1f90d8f093ff30f3ffc2f413e0f563c4f40a1118524cb0
                                                                                                                                                                                                      • Opcode Fuzzy Hash: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7B01DFA05042C28FEB118F28D010BA6FBE0AFA3324F189696C4D58B6C2D379C845C761
                                                                                                                                                                                                      Function 0041AEFF Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
                                                                                                                                                                                                      • Instruction ID: 743bb6218d146487c45d38f060deef663a31a3ebd16d578a5b80eb567479d545
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA01A2205082C28EE7128F2984207B6FFA0EF63314F1896C7D4D58F6C3C3699985C7A9
                                                                                                                                                                                                      Function 0099B166 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
                                                                                                                                                                                                      • Instruction ID: 4a12ed6cc8a5600efdb21da53248f64a27d04be065fa1a55e45ee9cb2c9ba909
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6301AD601092C28FEB124B2C9420BB6FFE0AF63314F1896C6D0D58F6C3D3698949C765
                                                                                                                                                                                                      Function 0040C334 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
                                                                                                                                                                                                      • Instruction ID: 19ad3dfdcd8e9eec61f1e1188f3eb7c49d356ea6c47e6a039e33f49038878d3c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0D11087465C3808BD318CF18D9C075BBBE29BD6314F244A2CD5C117295C7B5990ACB6A
                                                                                                                                                                                                      Function 0098C59B Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
                                                                                                                                                                                                      • Instruction ID: a60d346ae7710f933ad074b8264d2704a3a8954351edfcd048e872905f870a76
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6A11047465C3808BD718CF28D98076ABBE2ABD6614F244A2CE5C117356C7B1A90ACB66
                                                                                                                                                                                                      Function 0099773F Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 0fc9c2b9ab787b67918dace5e316ea39913c3e7de64737a5f9c964aa54dc5f10
                                                                                                                                                                                                      • Instruction ID: d0011578c24fad6a99f982d89856079adebd60b4684dd0af464a9beafb5b0173
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0fc9c2b9ab787b67918dace5e316ea39913c3e7de64737a5f9c964aa54dc5f10
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5801D66551D3C14BD72A8F7494543EABBE19F97314F0848BEC0C157193EA3D854AC72A
                                                                                                                                                                                                      Function 00980D90 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                                      • Instruction ID: 58eaed3c98b071e03e5877ac261f4432f2a5651af2db0859249528cd0637bbc4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E501F272A006008FDF61EF60C805BAB33E9FBC6306F0544A4D90ADB382E374A8498F80
                                                                                                                                                                                                      Function 00409E09 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
                                                                                                                                                                                                      • Instruction ID: 764d9d3a4717be79920da73eaae230af95e7e9d95c2812270fe992c1b9b69a95
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6FE09A389141058FC708CF58C862677B7B0EF0B301F14A06AD982EB3A0E3389D02C7AC
                                                                                                                                                                                                      Function 0098A070 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
                                                                                                                                                                                                      • Instruction ID: cf150de29af4e39d8edc1f1deb2223a2fc4cda9d74cf018bf69f980e1412be79
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6EE0DF389111458FC704CF58C862677B7B0EF0B314F18A46AD983EB320E3389905D7AD
                                                                                                                                                                                                      Function 0040CEC7 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
                                                                                                                                                                                                      • Instruction ID: 7afc85315bce952cb7d9511845f2cfe5cc4fdaba4f93361a027a170bce18a72b
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B2E07D3461DA008BE218EF12D95543B73B2AF82308711587E91D3276D2CE78A806DB5D
                                                                                                                                                                                                      Function 0098D12E Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
                                                                                                                                                                                                      • Instruction ID: e35c8d373dea88225a01561078363a4a0633a941e141bbf8e7c87f8e4b6bdf42
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A6E07D35618AC08BC218FB15DCF193A7363AFC1308750546D905707F53DE74A846CB1E
                                                                                                                                                                                                      Function 0041F2A0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                                                                                                                                                      • Instruction ID: 3e00189c545ef2cffbc0a4c45a62ec63a19577d5de140b8962752aa3758dc2ad
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                                                                                                                                                      • Instruction Fuzzy Hash: EDD0A7755487A10E9759CD3804A04B7FBE8E947612B1814EFE4D5E7205D239DC46469C
                                                                                                                                                                                                      Function 0099F507 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                                                                                                                                                      • Instruction ID: 1b846c1eb927ba74d13020490992a2727c315c4f9b4d487ab48a0ff1341705d4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 10D0A7616487A10E5F588D7C54B087BFBE8E947712B1815AEF4D1E7115D220EC018659
                                                                                                                                                                                                      Function 0040D334 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2286256996.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.2286256996.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
                                                                                                                                                                                                      • Instruction ID: 8c6602917fdb956e33e5ed0c062c44bb8739f147fa9184780212f41d8b26cb24
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50C04C69E6C4008B924CCB15AC5153266769B8B254715E03A841663255E234945B950D
                                                                                                                                                                                                      Function 0098D59B Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
                                                                                                                                                                                                      • Instruction ID: adf43f4ff167c0b80dd23ad7a7067a4073dd8e3cb3c74e06a450f5eed3c4efd4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B8C04C69A6C4008A9248CB15AC5053163769B8B254715E429801A53355E22494578A0D
                                                                                                                                                                                                      Function 009C21EA Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 35d2e33cd3e1e12ea04a62caa481261f2aa62d3dab37d938482d2be42403fd6b
                                                                                                                                                                                                      • Instruction ID: d46756a0e1fb04911aea311e00f3b6d6bbb29cfd6f8012ad29779e734c60ec08
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 35d2e33cd3e1e12ea04a62caa481261f2aa62d3dab37d938482d2be42403fd6b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D7B002749493418BD380CF18D545726F6F0B747615F142919A054F3151D374D9488A5E
                                                                                                                                                                                                      Function 009C1C3E Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 3b31a4ec24c9909080489b0d4d2d3b4d03d345a3c8726ed2263eab24f62679d5
                                                                                                                                                                                                      • Instruction ID: c018d795f0dc3322a67de82126959776e6cc80093cc23c5047751edba26d1c35
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3b31a4ec24c9909080489b0d4d2d3b4d03d345a3c8726ed2263eab24f62679d5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BC900224D49100CA81408F45A480570E278630B10DF1534109008F3011C210D404450C
                                                                                                                                                                                                      Function 009B6A57 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 109clipboardCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                                                                                                                      • String ID: @$B$C$E$F$K$N$O$t${$}
                                                                                                                                                                                                      • API String ID: 2832541153-984153585
                                                                                                                                                                                                      • Opcode ID: 8fd00541a03fdab39137d35ec259fb7aeeef9dd7c60101cc427a738eb574f5a5
                                                                                                                                                                                                      • Instruction ID: 053bf5e7a10df3717e883a63da6936dee468c7336017f97514d0ec4b30406ca4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8fd00541a03fdab39137d35ec259fb7aeeef9dd7c60101cc427a738eb574f5a5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B9417B7040C3918ED300EF78958935FBFE0AB92328F090D6DE5C986292D6BDD5488BA7
                                                                                                                                                                                                      Function 009A55CF Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: DrivesLogical
                                                                                                                                                                                                      • String ID: %\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f
                                                                                                                                                                                                      • API String ID: 999431828-351939610
                                                                                                                                                                                                      • Opcode ID: 4f62df2b81f42cfb46ec157f180c00cd4febe93a651d1f2f065370f133753792
                                                                                                                                                                                                      • Instruction ID: 886c31b05fa93609fadbba7d4c8430964bd58c78765afb9555c01e00ed39a593
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f62df2b81f42cfb46ec157f180c00cd4febe93a651d1f2f065370f133753792
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6F31DAB46093448FC710DF29C85122BBBF2FFC2318F05981CE5868B724EB799946CB82
                                                                                                                                                                                                      Function 009B6BE7 Relevance: 12.1, APIs: 8, Instructions: 67windowCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetDC.USER32(00000000), ref: 009B6BF0
                                                                                                                                                                                                      • GetCurrentObject.GDI32(00000000,00000007), ref: 009B6C11
                                                                                                                                                                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 009B6C21
                                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 009B6C28
                                                                                                                                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 009B6C37
                                                                                                                                                                                                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009B6C42
                                                                                                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 009B6C4E
                                                                                                                                                                                                      • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 009B6C71
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Object$CompatibleCreate$BitmapCurrentDeleteSelect
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2843486406-0
                                                                                                                                                                                                      • Opcode ID: 637d2dcd770b1b81d6daddeec98349090a5cabd35a80d80db673790c1e385553
                                                                                                                                                                                                      • Instruction ID: 1d104a2d2ef69b2facbef7e66f425f68f57b7eef99c7af62e122bbf0fcffd6b2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 637d2dcd770b1b81d6daddeec98349090a5cabd35a80d80db673790c1e385553
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 39214FB9504310EFE3509F609D49B2B7BF8EB8BB11F014929FA59E2290D77498048B67
                                                                                                                                                                                                      Function 009A5367 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 009A5411
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                      • String ID: +$e$+$e$XY$E#G
                                                                                                                                                                                                      • API String ID: 237503144-1023387988
                                                                                                                                                                                                      • Opcode ID: 796cc6ccac140472a8104463ef7e640a249bdffaa71f860e68154a69d4d8fa0c
                                                                                                                                                                                                      • Instruction ID: 99028755fbce0f278e9cd6702229cc49158099681a075d68b07d9c6eadc7dccd
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 796cc6ccac140472a8104463ef7e640a249bdffaa71f860e68154a69d4d8fa0c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3821083424C344AFD3148F65D88175FBBE0EBC6714F25C92CE5A857292D775C80A8F86
                                                                                                                                                                                                      Function 009A5A47 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 009A5B5B
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.2287036505.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_980000_TBI87y49f9.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                      • String ID: B"@$`J/H$rp
                                                                                                                                                                                                      • API String ID: 237503144-3817236508
                                                                                                                                                                                                      • Opcode ID: d1879db7092e8caf361d2fa4e2e19fcb9f3d80e285b1dd23349b8ef0ea2aa233
                                                                                                                                                                                                      • Instruction ID: 08844dab9eb02755ee184787f8fabfb442e247aef3a6c7a1251eba48278b6d74
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d1879db7092e8caf361d2fa4e2e19fcb9f3d80e285b1dd23349b8ef0ea2aa233
                                                                                                                                                                                                      • Instruction Fuzzy Hash: AC31CDB0E443489FDB10CFA9D8827DEBBB2EF45700F10012CE441BB295D6B55906CFA9