Edit tour

Windows Analysis Report
CxDfBJ42lP.exe

Overview

General Information

Sample name:CxDfBJ42lP.exe
renamed because original name is a hash value
Original sample name:06d886a5b9ed95722bb25fc607a593f6.exe
Analysis ID:1646796
MD5:06d886a5b9ed95722bb25fc607a593f6
SHA1:3c0ad2d2824c2ce40219db3411c627ca10aec7ed
SHA256:439ff70913feaa72026b23e5d68b72ead08cc0e09ebb4e4793cc8a5ec9f3cfb6
Tags:Arechclient2exeuser-abuse_ch
Infos:

Detection

RedLine
Score:76
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Joe Sandbox ML detected suspicious sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Potential time zone aware malware
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • CxDfBJ42lP.exe (PID: 7752 cmdline: "C:\Users\user\Desktop\CxDfBJ42lP.exe" MD5: 06D886A5B9ED95722BB25FC607A593F6)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
No configs have been found
SourceRuleDescriptionAuthorStrings
CxDfBJ42lP.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    CxDfBJ42lP.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      CxDfBJ42lP.exeMALWARE_Win_Arechclient2Detects Arechclient2 RATditekSHen
      • 0xc5837:$s14: keybd_event
      • 0xccae0:$v1_1: grabber@
      • 0xc639e:$v1_2: <BrowserProfile>k__
      • 0xc6e1d:$v1_3: <SystemHardwares>k__
      • 0xc6edc:$v1_5: <ScannedWallets>k__
      • 0xc6f6c:$v1_6: <DicrFiles>k__
      • 0xc6f48:$v1_7: <MessageClientFiles>k__
      • 0xc7312:$v1_8: <ScanBrowsers>k__BackingField
      • 0xc7364:$v1_8: <ScanWallets>k__BackingField
      • 0xc7381:$v1_8: <ScanScreen>k__BackingField
      • 0xc73bb:$v1_8: <ScanVPN>k__BackingField
      • 0xb832a:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost
      • 0xb7c36:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
      SourceRuleDescriptionAuthorStrings
      00000001.00000000.1265458225.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000000.1265458225.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: CxDfBJ42lP.exe PID: 7752JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: CxDfBJ42lP.exe PID: 7752JoeSecurity_RedLineYara detected RedLine StealerJoe Security
              SourceRuleDescriptionAuthorStrings
              1.0.CxDfBJ42lP.exe.ab0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                1.0.CxDfBJ42lP.exe.ab0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  1.0.CxDfBJ42lP.exe.ab0000.0.unpackMALWARE_Win_Arechclient2Detects Arechclient2 RATditekSHen
                  • 0xc5837:$s14: keybd_event
                  • 0xccae0:$v1_1: grabber@
                  • 0xc639e:$v1_2: <BrowserProfile>k__
                  • 0xc6e1d:$v1_3: <SystemHardwares>k__
                  • 0xc6edc:$v1_5: <ScannedWallets>k__
                  • 0xc6f6c:$v1_6: <DicrFiles>k__
                  • 0xc6f48:$v1_7: <MessageClientFiles>k__
                  • 0xc7312:$v1_8: <ScanBrowsers>k__BackingField
                  • 0xc7364:$v1_8: <ScanWallets>k__BackingField
                  • 0xc7381:$v1_8: <ScanScreen>k__BackingField
                  • 0xc73bb:$v1_8: <ScanVPN>k__BackingField
                  • 0xb832a:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost
                  • 0xb7c36:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
                  No Sigma rule has matched
                  No Suricata rule has matched

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: CxDfBJ42lP.exeAvira: detected
                  Source: CxDfBJ42lP.exeReversingLabs: Detection: 77%
                  Source: CxDfBJ42lP.exeVirustotal: Detection: 75%Perma Link
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: CxDfBJ42lP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 4x nop then jmp 013C77B9h1_2_013C768B
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 4x nop then jmp 013C77B9h1_2_013C7751
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.86.115.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.86.115.43
                  Source: CxDfBJ42lP.exe, 00000001.00000002.3137305912.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/yraPuhAK
                  Source: CxDfBJ42lP.exe, 00000001.00000002.3137305912.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/yraPuhAKPO
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695

                  System Summary

                  barindex
                  Source: CxDfBJ42lP.exe, type: SAMPLEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 1.0.CxDfBJ42lP.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C10501_2_013C1050
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013CA0801_2_013CA080
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C75981_2_013C7598
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C89001_2_013C8900
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C19401_2_013C1940
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013CA0701_2_013CA070
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C45601_2_013C4560
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C75881_2_013C7588
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C45F81_2_013C45F8
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C74381_2_013C7438
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013CE4D81_2_013CE4D8
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C17381_2_013C1738
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C17341_2_013C1734
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013CE7601_2_013CE760
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C46081_2_013C4608
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013CD93F1_2_013CD93F
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C19311_2_013C1931
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013CD9501_2_013CD950
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C59AB1_2_013C59AB
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C88F31_2_013C88F3
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C7D081_2_013C7D08
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C7C241_2_013C7C24
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C59C81_2_013C59C8
                  Source: CxDfBJ42lP.exe, 00000001.00000000.1265542581.0000000000B80000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedfgfghfghfghfghfgh.exe" vs CxDfBJ42lP.exe
                  Source: CxDfBJ42lP.exe, 00000001.00000002.3136077147.000000000111E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CxDfBJ42lP.exe
                  Source: CxDfBJ42lP.exeBinary or memory string: OriginalFilenamedfgfghfghfghfghfgh.exe" vs CxDfBJ42lP.exe
                  Source: CxDfBJ42lP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: CxDfBJ42lP.exe, type: SAMPLEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 1.0.CxDfBJ42lP.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: classification engineClassification label: mal76.troj.winEXE@1/0@0/1
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeMutant created: \Sessions\1\BaseNamedObjects\f4780255474e4c05adeb08282ec4a3c2
                  Source: CxDfBJ42lP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: CxDfBJ42lP.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: CxDfBJ42lP.exeReversingLabs: Detection: 77%
                  Source: CxDfBJ42lP.exeVirustotal: Detection: 75%
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeSection loaded: mswsock.dllJump to behavior
                  Source: CxDfBJ42lP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeCode function: 1_2_013C41AB pushfd ; ret 1_2_013C41E6
                  Source: CxDfBJ42lP.exeStatic PE information: section name: .text entropy: 6.8362139254773435
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeMemory allocated: 13C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeMemory allocated: 2E30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeMemory allocated: 4E30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeWindow / User API: threadDelayed 600Jump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exe TID: 7776Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exe TID: 7776Thread sleep time: -180000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exe TID: 7756Thread sleep time: -30277s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exe TID: 7756Thread sleep time: -58324s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exe TID: 3276Thread sleep count: 600 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exe TID: 7756Thread sleep time: -45391s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exe TID: 7756Thread sleep time: -57582s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exe TID: 7776Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
                  Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeThread delayed: delay time: 60000Jump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeThread delayed: delay time: 30277Jump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeThread delayed: delay time: 58324Jump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeThread delayed: delay time: 45391Jump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeThread delayed: delay time: 57582Jump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeThread delayed: delay time: 60000Jump to behavior
                  Source: CxDfBJ42lP.exe, 00000001.00000002.3136077147.00000000011B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeProcess token adjusted: DebugJump to behavior
                  Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeQueries volume information: C:\Users\user\Desktop\CxDfBJ42lP.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CxDfBJ42lP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: CxDfBJ42lP.exe, type: SAMPLE
                  Source: Yara matchFile source: 1.0.CxDfBJ42lP.exe.ab0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.1265458225.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CxDfBJ42lP.exe PID: 7752, type: MEMORYSTR
                  Source: Yara matchFile source: CxDfBJ42lP.exe, type: SAMPLE
                  Source: Yara matchFile source: 1.0.CxDfBJ42lP.exe.ab0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.1265458225.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CxDfBJ42lP.exe PID: 7752, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: CxDfBJ42lP.exe, type: SAMPLE
                  Source: Yara matchFile source: 1.0.CxDfBJ42lP.exe.ab0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.1265458225.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CxDfBJ42lP.exe PID: 7752, type: MEMORYSTR
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading
                  1
                  DLL Side-Loading
                  1
                  Disable or Modify Tools
                  OS Credential Dumping1
                  System Time Discovery
                  Remote Services1
                  Archive Collected Data
                  12
                  Encrypted Channel
                  Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts31
                  Virtualization/Sandbox Evasion
                  LSASS Memory1
                  Security Software Discovery
                  Remote Desktop ProtocolData from Removable Media1
                  Application Layer Protocol
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  Software Packing
                  Security Account Manager31
                  Virtualization/Sandbox Evasion
                  SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  DLL Side-Loading
                  NTDS1
                  Application Window Discovery
                  Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                  Obfuscated Files or Information
                  LSA Secrets12
                  System Information Discovery
                  SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1646796 Sample: CxDfBJ42lP.exe Startdate: 24/03/2025 Architecture: WINDOWS Score: 76 10 Malicious sample detected (through community Yara rule) 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 2 other signatures 2->16 5 CxDfBJ42lP.exe 2 2->5         started        process3 dnsIp4 8 172.86.115.43, 443, 49695 PONYNETUS United States 5->8

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  CxDfBJ42lP.exe78%ReversingLabsByteCode-MSIL.Ransomware.RedLine
                  CxDfBJ42lP.exe75%VirustotalBrowse
                  CxDfBJ42lP.exe100%AviraHEUR/AGEN.1307453
                  No Antivirus matches
                  No Antivirus matches
                  No Antivirus matches
                  No Antivirus matches

                  Download Network PCAP: filteredfull

                  No contacted domains info
                  NameSourceMaliciousAntivirus DetectionReputation
                  https://pastebin.com/raw/yraPuhAKCxDfBJ42lP.exe, 00000001.00000002.3137305912.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://pastebin.com/raw/yraPuhAKPOCxDfBJ42lP.exe, 00000001.00000002.3137305912.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs
                      IPDomainCountryFlagASNASN NameMalicious
                      172.86.115.43
                      unknownUnited States
                      53667PONYNETUSfalse
                      Joe Sandbox version:42.0.0 Malachite
                      Analysis ID:1646796
                      Start date and time:2025-03-24 09:39:21 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 5m 31s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Run name:Run with higher sleep bypass
                      Number of analysed new started processes analysed:12
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:CxDfBJ42lP.exe
                      renamed because original name is a hash value
                      Original Sample Name:06d886a5b9ed95722bb25fc607a593f6.exe
                      Detection:MAL
                      Classification:mal76.troj.winEXE@1/0@0/1
                      EGA Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 30
                      • Number of non-executed functions: 11
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 184.31.69.3, 172.202.163.200
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target CxDfBJ42lP.exe, PID 7752 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      No simulations
                      No context
                      No context
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      PONYNETUSboatnet.ppc.elfGet hashmaliciousMiraiBrowse
                      • 209.141.36.93
                      spc.elfGet hashmaliciousMiraiBrowse
                      • 198.98.51.68
                      sh4.elfGet hashmaliciousMiraiBrowse
                      • 198.98.51.68
                      m68k.elfGet hashmaliciousMiraiBrowse
                      • 198.98.51.68
                      i686.elfGet hashmaliciousMiraiBrowse
                      • 198.98.51.68
                      ppc.elfGet hashmaliciousUnknownBrowse
                      • 198.98.51.68
                      arm.elfGet hashmaliciousMiraiBrowse
                      • 198.98.51.68
                      x86.elfGet hashmaliciousMiraiBrowse
                      • 198.98.51.68
                      mpsl.elfGet hashmaliciousMiraiBrowse
                      • 198.98.51.68
                      No context
                      No context
                      No created / dropped files found
                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):6.829786255094696
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      • Win32 Executable (generic) a (10002005/4) 49.75%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Windows Screen Saver (13104/52) 0.07%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      File name:CxDfBJ42lP.exe
                      File size:842'240 bytes
                      MD5:06d886a5b9ed95722bb25fc607a593f6
                      SHA1:3c0ad2d2824c2ce40219db3411c627ca10aec7ed
                      SHA256:439ff70913feaa72026b23e5d68b72ead08cc0e09ebb4e4793cc8a5ec9f3cfb6
                      SHA512:243216ed3aa463c25f231602e2659b90904408c4426716ca4c8c21e78372711952a876a65a5600cadcaab7a112f68298936771066d6de117fa71b91e68fdcf65
                      SSDEEP:12288:+cZyCM9wN+BEcaVXE35M9pH4j7rql+9s0od6VZsd5X2OtXbkH:UCIza9954w0hkdzt
                      TLSH:B5056CED3A039E32CAE8737984FF6C0891A15BA7AD4171A9D98CD8C45F8535D8B4DBC0
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................>.... ........@.. .......................@.............................................
                      Icon Hash:90cececece8e8eb0
                      Entrypoint:0x4cee3e
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:
                      Time Stamp:0x67D994CC [Tue Mar 18 15:44:12 2025 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xcedec0x4f.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd00000x600.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000xcce440xcd000d3a78099cd31d56932ff227c0ca31e89False0.5540205792682927data6.8362139254773435IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0xd00000x6000x60033ca0a274734eab7811dc63e34874938False0.3984375data4.0005741438892635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xd20000xc0x20015cb7b1ff8576ca844dc3ddfd6d3dd5aFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_VERSION0xd00a00x304data0.405440414507772
                      RT_MANIFEST0xd03a40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                      DLLImport
                      mscoree.dll_CorExeMain
                      DescriptionData
                      Translation0x0000 0x04b0
                      Comments
                      CompanyName
                      FileDescription
                      FileVersion1.0.0.0
                      InternalNamedfgfghfghfghfghfgh.exe
                      LegalCopyright
                      LegalTrademarks
                      OriginalFilenamedfgfghfghfghfghfgh.exe
                      ProductName
                      ProductVersion1.0.0.0
                      Assembly Version1.0.0.0

                      Download Network PCAP: filteredfull

                      TimestampSource PortDest PortSource IPDest IP
                      Mar 24, 2025 09:40:21.503973007 CET49695443192.168.2.6172.86.115.43
                      Mar 24, 2025 09:40:21.504003048 CET44349695172.86.115.43192.168.2.6
                      Mar 24, 2025 09:40:21.504095078 CET49695443192.168.2.6172.86.115.43
                      050100150s020406080100

                      Click to jump to process

                      050100150s0.005101520MB

                      Click to jump to process

                      • File
                      • Registry
                      • Network

                      Click to dive into process behavior distribution

                      Target ID:1
                      Start time:04:40:20
                      Start date:24/03/2025
                      Path:C:\Users\user\Desktop\CxDfBJ42lP.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\CxDfBJ42lP.exe"
                      Imagebase:0xab0000
                      File size:842'240 bytes
                      MD5 hash:06D886A5B9ED95722BB25FC607A593F6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.1265458225.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000000.1265458225.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:false
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                      Executed Functions

                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: "vw$%ZbK$(?$6UwH$[tDY
                      • API String ID: 0-1104128927
                      • Opcode ID: fff339ac01696ee60ac1623a594e4cc4fd7c30722898ad9cd1a0db46e713a2d1
                      • Instruction ID: 10f3b57429e28df7b4b147349a88b027edca48ace73d8bdb942af6d5c1c6bc14
                      • Opcode Fuzzy Hash: fff339ac01696ee60ac1623a594e4cc4fd7c30722898ad9cd1a0db46e713a2d1
                      • Instruction Fuzzy Hash: A653D774E0422ACFDB64DF69C984A9AB7F5FB49304F1485AAD819E7315E730AE81CF40
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: "vw$%ZbK$(?$[tDY
                      • API String ID: 0-1613493663
                      • Opcode ID: ebcbd6ab934d22a1c9919a33ddf13112b36b4b97a2a021f3a55649137ea032ed
                      • Instruction ID: 69df71e76bf00879f98449a442a4a93a4dd43fea9c4e26ba0b2ae5fc46bb042e
                      • Opcode Fuzzy Hash: ebcbd6ab934d22a1c9919a33ddf13112b36b4b97a2a021f3a55649137ea032ed
                      • Instruction Fuzzy Hash: 0E13C678E0422A8FDB54DF69C884A9EB7F5FB49304F1486AAD418E7315E770AE85CF40
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: @^#
                      • API String ID: 0-159667578
                      • Opcode ID: 5fd735653843bb32f45f58428e8b702d2693117c1ce278b3c042e0d98dc9eaaa
                      • Instruction ID: fff9fbc89d256c672009db5fa6dfd2332f5702dbec97fe1f28cd4fcbdc6851c9
                      • Opcode Fuzzy Hash: 5fd735653843bb32f45f58428e8b702d2693117c1ce278b3c042e0d98dc9eaaa
                      • Instruction Fuzzy Hash: 25E29F78E012298FDB64DF69C884A9DBBF5BB49304F1481EAD819E7315E730AE85CF50
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: mJPC
                      • API String ID: 0-3228284330
                      • Opcode ID: 9b88c815277f4220a2df752010405b37923f9ce537750e0ecd5d31b467947c58
                      • Instruction ID: 4372b5e48b93dac6e0cdc0485067b3623450a4292baca9f0d3aa9d46e798f276
                      • Opcode Fuzzy Hash: 9b88c815277f4220a2df752010405b37923f9ce537750e0ecd5d31b467947c58
                      • Instruction Fuzzy Hash: F8D2C074E052298FDB60CF69C984BD9BBF5BB49308F1581AAD809E7355E730AE81CF50
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: @^#
                      • API String ID: 0-159667578
                      • Opcode ID: 773bc2a4e3a64ac4d32ebc84e1bb527dc12ef4ec82de23df5c8d55cfac241dcc
                      • Instruction ID: f1b07af63330e951552dbfff2915802da1d945518bb17747f70bbbd1ccd20e29
                      • Opcode Fuzzy Hash: 773bc2a4e3a64ac4d32ebc84e1bb527dc12ef4ec82de23df5c8d55cfac241dcc
                      • Instruction Fuzzy Hash: 49C29078E002298FDB64DF69C884A99BBF5BF49304F1481EAD419EB315E734AE85CF50
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID: 0-3916222277
                      • Opcode ID: 09d7c998448ab502257d29b0f8a234662ae059469dad638a4af308f34309ddb7
                      • Instruction ID: 16b3338fbe0bef80522135a6d7c03c662569fb68f879bc3911b7de0d5dc75a3d
                      • Opcode Fuzzy Hash: 09d7c998448ab502257d29b0f8a234662ae059469dad638a4af308f34309ddb7
                      • Instruction Fuzzy Hash: 8D02E678E04219CFEB14DFADD884B9DBBB6FB88304F14816AD809E739AD73499418F51
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 96c90c39c18e0400249c676d88b9b8baa25ee47355397db1ff3de658e5ea638e
                      • Instruction ID: c357df869c83dbea287b21d072da9640cfca1565dc7f75de71e015f130baa1e5
                      • Opcode Fuzzy Hash: 96c90c39c18e0400249c676d88b9b8baa25ee47355397db1ff3de658e5ea638e
                      • Instruction Fuzzy Hash: 5BE26DB4E052298FDB60DF69C984AD9BBF5BB49304F1481EAD809E7315E730AE85CF50
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b5632b9ac6d12ae4f3aa574ecf2da97748cbc0947e12b927b530b3528cec120a
                      • Instruction ID: cb14fa8e0ea1eeb3f68ad25ace975a558b585c0c3ec98077087342fc7c0ebab2
                      • Opcode Fuzzy Hash: b5632b9ac6d12ae4f3aa574ecf2da97748cbc0947e12b927b530b3528cec120a
                      • Instruction Fuzzy Hash: F092B274E042198FDB64CFA9C984ADDBBF5BB89304F1581AAD418EB355E730AE85CF40
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 078597b2354df0e1c63b4e3dc3c188dad7ab823bc00410209948b39f9758cd3b
                      • Instruction ID: ab93ee7aee60983fd6ce4757701af38d28b1859f9f677e5601787d215d1d6477
                      • Opcode Fuzzy Hash: 078597b2354df0e1c63b4e3dc3c188dad7ab823bc00410209948b39f9758cd3b
                      • Instruction Fuzzy Hash: EA927D74E012298FDB64DF69C984ADDBBF5BB49304F1481EAD809A7355EB30AE85CF40
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 794aee78fd22b8f92fb5bf134ce09fd7c8dda3ceb063b1b98acc901e4e32fa62
                      • Instruction ID: 68399c65b9fa98758a995106b93f451bf1a98651958a2b39d9d471ce4f0b4f25
                      • Opcode Fuzzy Hash: 794aee78fd22b8f92fb5bf134ce09fd7c8dda3ceb063b1b98acc901e4e32fa62
                      • Instruction Fuzzy Hash: 30619F71C093D48FD712DB7D98601DDBFB1EF96714F09809AD480EB2A6E6284849CB69
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 21ffbeb766990966b82a2401b84cc13cc630942fbeea2dc4a643d85a683be463
                      • Instruction ID: 6c119f159eecff8adcdcceb6533c6b15af60e3885778a8d671ea35e139ddcfd8
                      • Opcode Fuzzy Hash: 21ffbeb766990966b82a2401b84cc13cc630942fbeea2dc4a643d85a683be463
                      • Instruction Fuzzy Hash: FF416974E012098FDB14CFA8D888AADBBB6FF8A315F14A529D40AE7249D734DC91CF14
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 830ce89b92752b59afd2781ee64ef284889c6cc838ab84b192daf79dcc548fdf
                      • Instruction ID: ebe3c6d5cac134e6cf2995547804cf78939ce2c22560120a378fb0163da808fa
                      • Opcode Fuzzy Hash: 830ce89b92752b59afd2781ee64ef284889c6cc838ab84b192daf79dcc548fdf
                      • Instruction Fuzzy Hash: 35310571E006498BDB18DFAAD8446EEFBF2BF89310F14C129D815AB299DB349846CF54
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 10389572f54e3dc78d86ccae5a8ef82e5b9daca50ae72e3bad7328a9fcf395b5
                      • Instruction ID: 2b9163caaf39a4f721d293730100967b03da9fdce18b565a044e60f474f76dd0
                      • Opcode Fuzzy Hash: 10389572f54e3dc78d86ccae5a8ef82e5b9daca50ae72e3bad7328a9fcf395b5
                      • Instruction Fuzzy Hash: 7231E775E006498BDB18DFAAD8446AEFBF2BF89310F14C129D815AB298DB349846CF54
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7eae2455139b6cd705cd1072c54f3b6424e28c52a00beb7a61ca90d6a2ccbb25
                      • Instruction ID: 1ed382d6e86bb3446b3cdba7d9a283de02dc5169afdfc807eb35aa7607394375
                      • Opcode Fuzzy Hash: 7eae2455139b6cd705cd1072c54f3b6424e28c52a00beb7a61ca90d6a2ccbb25
                      • Instruction Fuzzy Hash: D1212774E012098FDB10DFA8D8849ADBBB6FF8A314F14A528D41AE7255D774EC82CF54
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: *
                      • API String ID: 0-163128923
                      • Opcode ID: aab2d6701612b33de78d6c5994b9cfa8b21c0f4278ccbda9ab49ea4fe6fcb84c
                      • Instruction ID: 21598adcb42709de5d6e57174d78e6bb476231345defe61c21dd5f4f5004bc6e
                      • Opcode Fuzzy Hash: aab2d6701612b33de78d6c5994b9cfa8b21c0f4278ccbda9ab49ea4fe6fcb84c
                      • Instruction Fuzzy Hash: A641B074E002199FDB04DFA9D885AEEBBF2FF88310F15816AE415A7354D734A941CF50
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: *
                      • API String ID: 0-163128923
                      • Opcode ID: 498a23fbf4e4ab587289ebdc28a646242aadcec6d8de18bbbbab73ae6dde2e74
                      • Instruction ID: c6c851763bb7ba80672db7edd07ab83ef13ffe4c1e205cf0699fbca497e7871d
                      • Opcode Fuzzy Hash: 498a23fbf4e4ab587289ebdc28a646242aadcec6d8de18bbbbab73ae6dde2e74
                      • Instruction Fuzzy Hash: 5241BE74E002199FCB04DFA9D888AEEBBF2FF88310F158169E915A7354DB34A941CF90
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: u
                      • API String ID: 0-4067256894
                      • Opcode ID: d03947906f942881bba260a2b86130a34fc5fecdcf99195b37ffd90c34676957
                      • Instruction ID: a0c276329932e52b2eaf7dc589f6fd4bc93cf040be186316450ac8745fe13a4a
                      • Opcode Fuzzy Hash: d03947906f942881bba260a2b86130a34fc5fecdcf99195b37ffd90c34676957
                      • Instruction Fuzzy Hash: 9431E074D0020EDFCB00DFA9C484AEEBBF5BF48314F15956AE414A7254EB34AA85CFA5
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: $
                      • API String ID: 0-3993045852
                      • Opcode ID: a96ae82960a9cd0afc362ddf474604de5da8bd2cba569d26527f44bdb06e16f5
                      • Instruction ID: 2c449123a9935ce2714babc4afa89fc3fc9e20d0d7ebbc3d275d49831df62e94
                      • Opcode Fuzzy Hash: a96ae82960a9cd0afc362ddf474604de5da8bd2cba569d26527f44bdb06e16f5
                      • Instruction Fuzzy Hash: D501AD30D4534ADFDB65DF69A8087FDBBB9AF86319F0281AAC404A2155CB78092ACB41
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: u
                      • API String ID: 0-4067256894
                      • Opcode ID: 0562aa1c25d6e49b32b0d47307ecd4de8e4d34ed28d2337ae31eb782fa1f56ce
                      • Instruction ID: 54c97b6e7b9e6acc8a19d7760c266a87820381843c47a8a9ab39fbf72ead2ab4
                      • Opcode Fuzzy Hash: 0562aa1c25d6e49b32b0d47307ecd4de8e4d34ed28d2337ae31eb782fa1f56ce
                      • Instruction Fuzzy Hash: A1012474D0024CAFDB10CFAAD8487DDBFB5AB88318F04D069D414B2214DB344585CF55
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4b58a84beee0c11bfc8cd90c4a20695efc09eddc82402aaba46d6dad3caa55a6
                      • Instruction ID: ee7d1427f523f9bde6d1451265013281b963a952c6a448546b255a50c0488987
                      • Opcode Fuzzy Hash: 4b58a84beee0c11bfc8cd90c4a20695efc09eddc82402aaba46d6dad3caa55a6
                      • Instruction Fuzzy Hash: 0C413974D002198FDB14EFA9D844ADEFBB2FF89314F14822AE414A7354DB34A956CB51
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 12cc46e9a7f0629046da8e630475007a2a6819e4dffd61550df8701ea224e5d3
                      • Instruction ID: c2df535d9f26033cf12fde82d40507743ff101abf7299225d1c0d21d7178a747
                      • Opcode Fuzzy Hash: 12cc46e9a7f0629046da8e630475007a2a6819e4dffd61550df8701ea224e5d3
                      • Instruction Fuzzy Hash: 8D11C131B042059BC718EFBDE85465E7FE6EF85202F20857DD50AA7754DE30AD0ACBA1
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: af9888e25b70c11ce5b95f4e95faa59f64ba3cbf0c114634b18f5bf37b8b347b
                      • Instruction ID: f64f6d3e85053ac463670427ca9e8517ca0b3e6784951a54aed09868e3a855d8
                      • Opcode Fuzzy Hash: af9888e25b70c11ce5b95f4e95faa59f64ba3cbf0c114634b18f5bf37b8b347b
                      • Instruction Fuzzy Hash: 8811E031D04348CFEB25CBA8E8483EEBFB0AB8A314F0581BED408A3255C7340915CF91
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9351fe957a71a5390d1d3abfef1cac3486379b0c1d76ab1317f9415cf8718d81
                      • Instruction ID: 1003cccff8effc21790a44b8649e68260bad93cb2bcc4ce7fd11f3353aa8c3ce
                      • Opcode Fuzzy Hash: 9351fe957a71a5390d1d3abfef1cac3486379b0c1d76ab1317f9415cf8718d81
                      • Instruction Fuzzy Hash: 641100B0C05348EFDB25DB78A80A6AD7FF0AB43311F1085AFC80097291E7700E18CB02
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 954db2d36351f7a61b4708f5fe5bd9d9d4264be9ba2c1c489e080671ab482b42
                      • Instruction ID: 980386cbf172500cbf1d1aed965e84701c063f287572c29c3ba6e3224b8ffc2e
                      • Opcode Fuzzy Hash: 954db2d36351f7a61b4708f5fe5bd9d9d4264be9ba2c1c489e080671ab482b42
                      • Instruction Fuzzy Hash: B001C874E002098FC700DFA8C8889ADBBB2BF4A314F149519D41AAB391D774AC42CF54
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d7fb18ac8df1dbc0c1c18e11c0c6db6e16cfee2087c7173f47f6056f13e997bf
                      • Instruction ID: 6fc5264706ff79e03727bde28f9211b6aacd78cd47cbe7795ad509c001898f07
                      • Opcode Fuzzy Hash: d7fb18ac8df1dbc0c1c18e11c0c6db6e16cfee2087c7173f47f6056f13e997bf
                      • Instruction Fuzzy Hash: 35E0E531D043499BDB119E6AD4093FEBBB9AB86319F415469C10462146DB78451A8B85
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5d495e153f57778f3d387d328067809792cbdaee89c25deee50b1808c4eb7a76
                      • Instruction ID: 5b09d718af45b1974cc6a0da64c863c1e931f28eead8b5ce21618a06217d4ba3
                      • Opcode Fuzzy Hash: 5d495e153f57778f3d387d328067809792cbdaee89c25deee50b1808c4eb7a76
                      • Instruction Fuzzy Hash: B6F0ECB490034A8FCB00CBA8D8446CC7FF2EF42318F1082AAC409EB2A1EA351D028B42
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6bd875bec597bf837f45e6bed8ec4ecd3a47030335f35a70f440dacbdcbae0d5
                      • Instruction ID: 574a37d83e246af984c7b8149e96c4ac280012665a7a213f8968c70c803d5f63
                      • Opcode Fuzzy Hash: 6bd875bec597bf837f45e6bed8ec4ecd3a47030335f35a70f440dacbdcbae0d5
                      • Instruction Fuzzy Hash: 43E03930D00309CBEB64ABA9D8086EEBBB8EB8E315F005439D119A2654DB381A158F91
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0e24cb0061a13d08d8ab31deb78e155e1d2e875dd39ad35b1f041b032f0f30c5
                      • Instruction ID: 36b4140e31232f27883deb144eab90fd056e771ed4ad82db750c35cb42c97723
                      • Opcode Fuzzy Hash: 0e24cb0061a13d08d8ab31deb78e155e1d2e875dd39ad35b1f041b032f0f30c5
                      • Instruction Fuzzy Hash: 33E04F31D0020ADBEB109EAAE4087FEB7B9AB8A315F015429C51462154DB795A298F91
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 827a71396b985dc8a1d4cb32c91cfda6dadab9e2a668ade8afb0c81f13bfba29
                      • Instruction ID: 88edeb581a24222eee651a82d2455ac562794db1a1896e9351d17b4f99a16be8
                      • Opcode Fuzzy Hash: 827a71396b985dc8a1d4cb32c91cfda6dadab9e2a668ade8afb0c81f13bfba29
                      • Instruction Fuzzy Hash: 13E06D74D0020DEBD700EBA8E448A9CBFF6EB45308F0081A99409E3254EB342E54CB81
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 32cf646970b1d12c6ae65fc3eb2d94b607ccd9aa20927b10ae85e25c9901149b
                      • Instruction ID: 958bd750918ac579c2d77fae78b4d1b4b52c96ce5838e1915dae8c29a8011a74
                      • Opcode Fuzzy Hash: 32cf646970b1d12c6ae65fc3eb2d94b607ccd9aa20927b10ae85e25c9901149b
                      • Instruction Fuzzy Hash: 96C012F984E58A13D711C4A48AC22893BD0C621196B164AEE885CC6653D00BC0474745

                      Non-executed Functions

                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: 'Cz$2vl$?#Wq
                      • API String ID: 0-2846151515
                      • Opcode ID: 7daede38f259d1992988c2d28ff4092c156b4af3685e348d3c27c5236074b605
                      • Instruction ID: 344d2116e49051532a4ae25656adfed4a3c16c016987e4412d14ea01f6be0d12
                      • Opcode Fuzzy Hash: 7daede38f259d1992988c2d28ff4092c156b4af3685e348d3c27c5236074b605
                      • Instruction Fuzzy Hash: E3829174E04219DFDB54CFA9C984ADDBBF5BB89304F1481AAD809AB315E730AE85CF50
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: 'Cz$?#Wq
                      • API String ID: 0-1026680534
                      • Opcode ID: fe6656af2f8c96775995bb5b34edf9d1da21c2fef33ced1e4962a17de1136d22
                      • Instruction ID: 36b0366f03f95ac3b3c2e5cff164de82f3c19444bc3b122e3b8fc9ee16610433
                      • Opcode Fuzzy Hash: fe6656af2f8c96775995bb5b34edf9d1da21c2fef33ced1e4962a17de1136d22
                      • Instruction Fuzzy Hash: 1A629174E042199FDB54DFA9C984ADDBBF5BB89304F1481EAD808AB315D730AE85CF50
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: N*'U$dp
                      • API String ID: 0-1200039200
                      • Opcode ID: 547749803ed0807654a3ed5582d717727d5257805d2d9fe3947f3d0639825037
                      • Instruction ID: 379eaae45a525527f7a749067ba3adb7f5455f168432e515b97efec887da356e
                      • Opcode Fuzzy Hash: 547749803ed0807654a3ed5582d717727d5257805d2d9fe3947f3d0639825037
                      • Instruction Fuzzy Hash: CF120374E00219CFDB14DFA9C884A9DBBB6FF89304F1481AAD409EB355E734AA45CF50
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: KU
                      • API String ID: 0-1863757666
                      • Opcode ID: b85719d826f034d94240a5bc7dc981d434dc0962089091c556558150a097c4c6
                      • Instruction ID: 1ae7268bf0aa761af96494ea71d71cd03ab9e8bc56c54afc0adfacb92b423daa
                      • Opcode Fuzzy Hash: b85719d826f034d94240a5bc7dc981d434dc0962089091c556558150a097c4c6
                      • Instruction Fuzzy Hash: ACD2D278E052298FDB64CF69C884ADDBBF5BB49304F1481AAD819E7355E730AE81CF50
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: KU
                      • API String ID: 0-1863757666
                      • Opcode ID: d3455ddc0c69ce371891c320a457352324c126abc884ff7fd71add21559e136a
                      • Instruction ID: 5c16d2385334e30b1c9161103bea1f15db14d36f817a8122c25d949a489d1efe
                      • Opcode Fuzzy Hash: d3455ddc0c69ce371891c320a457352324c126abc884ff7fd71add21559e136a
                      • Instruction Fuzzy Hash: E292C178E042199FDB54CFA9C884AD9BBF5BB89304F14C1AAD818EB355E734AE45CF40
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: KU
                      • API String ID: 0-1863757666
                      • Opcode ID: df470b512de99c027a80de4f1a636c49f3480434ac6d94311ae962eb3c237f7d
                      • Instruction ID: ae1ba7232eec032bc35500315a9302b16837a5f46c05d80c2ad9f4b806d687b3
                      • Opcode Fuzzy Hash: df470b512de99c027a80de4f1a636c49f3480434ac6d94311ae962eb3c237f7d
                      • Instruction Fuzzy Hash: 6882CF78E042199FDB54CFA9C884A9DBBF6BB89304F14C1AAD818E7355E734AE45CF40
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: N*'U
                      • API String ID: 0-2928747578
                      • Opcode ID: 865c2bab8db3ef02e4b64dfb7f298e94d1a90289c56934badc8097b40afd133c
                      • Instruction ID: 7a40b360561bdda1be6ff2afdb1afb97e7bfbf779b62df31e7a07332c8cc044f
                      • Opcode Fuzzy Hash: 865c2bab8db3ef02e4b64dfb7f298e94d1a90289c56934badc8097b40afd133c
                      • Instruction Fuzzy Hash: 04320478E002198FDB14DFA9C884A9DBBB6FF89304F14C1AAD419EB355E734AA41CF50
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID: mF%$
                      • API String ID: 0-1223636358
                      • Opcode ID: 978161fd9bf5d9d494daf69fb16b5472e4312b5cb248bb28b6ae0367065c15ad
                      • Instruction ID: a8158ca9b19242b3c39f17f1a97ea4e4c4bec13706c00e621c9426d23f419d5f
                      • Opcode Fuzzy Hash: 978161fd9bf5d9d494daf69fb16b5472e4312b5cb248bb28b6ae0367065c15ad
                      • Instruction Fuzzy Hash: 6A525F74E002299FDB64DFA9C984ADDBBF5BB49304F1481AAD809E7315E730AE85CF50
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bedc6eeeec2d68d3bb7207193bb3d5a284f96eb71989d8301c37debea7cf4275
                      • Instruction ID: 8b63064921f18a76a7f21dd95b69cb0973eca41f2296a5c857bf664d8fc6bee7
                      • Opcode Fuzzy Hash: bedc6eeeec2d68d3bb7207193bb3d5a284f96eb71989d8301c37debea7cf4275
                      • Instruction Fuzzy Hash: 80325E78E002199FDB64CFA9C984ADDBBF5BB49304F1581AAD809E7315E730AE85CF50
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 417207abc441216ab5caa47e9edddd3e3b3ddbbb879d9312039147ec75baf0be
                      • Instruction ID: 1615ee9e59f9b8108b2ace65ef60a7090912b16995b63b3500f2d67f4a3e4fd2
                      • Opcode Fuzzy Hash: 417207abc441216ab5caa47e9edddd3e3b3ddbbb879d9312039147ec75baf0be
                      • Instruction Fuzzy Hash: 7571A2B4E00219CFDB44CFA9C984A9EBBF2BF88304F248169E515AB365D734A905CF50
                      Memory Dump Source
                      • Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5026dd9609f589be1eeda2185016ccc4281a03b212990f0a28c048db53eb05cb
                      • Instruction ID: 90bba28d583bc35d9cea099726fa6ad75313b708a0a11da5f83dca897cf60ae8
                      • Opcode Fuzzy Hash: 5026dd9609f589be1eeda2185016ccc4281a03b212990f0a28c048db53eb05cb
                      • Instruction Fuzzy Hash: 8C6192B4E00619CFDB44CFAAC984A9EBBF6BF88304F209169E515AB364D734A905CF54